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Abstract — Timed automata (TAs) are a common formalism 
for modeling timed systems. Bounded model checking (BMC) 
is a verification method that searches for runs violating a 
property using a SAT or SMT solver. MITL is a real-time 
extension of the linear time logic LTL. Originally, MITL was 
defined for traces of non-overlapping time intervals rather 
than the "super-dense" time traces allowing for intervals 
overlapping in single points that are employed by the nowadays 
common semantics of timed automata. In this paper we extend 
the semantics of a fragment of MITL to super-dense time 
traces and devise a bounded model checking encoding for 
the fragment. We prove correctness and completeness in the 
sense that using a sufficiently large bound a counter-example 
to any given non-holding property can be found. We have 
implemented the proposed bounded model checking approach 
and experimentally studied the efficiency and scalability of the 
implementation. 

Keywords -timed automaton; metric interval temporal logic; 
bounded model checking; satisfiability modulo theories 

I. Introduction 

Fully-automated verification has many industrial applica- 
tions. A particularly interesting and challenging setting for 
the use of verification are systems for which timing aspects 
are of high importance like safety instrumented systems or 
communication protocols. In this paper, we study verification 
in a setting where both the system and the specification 
contain quantitative timing aspects, allowing not only to 
specify, e.g., that a certain situation will eventually lead to 
a reaction but also that the reaction will happen within a 
certain amount of time. Allowing such timing aspects to 
be part of both the specification and the system adds an 
additional challenge. 

Timed automata [1] are a widely employed formalism for 
the representation of finite state systems augmented with 
real-valued clocks. Timed automata have been studied for 
two decades and various tools for the verification of timed 
automata exist. Most existing verification techniques and 
tools, like the model checker Uppaal [2], however do not 
support quantitative specifications on the timing of events. 
We feel that the ability to state, e.g., that a certain condition 
triggers a reaction within a certain amount of time provides 
a clear improvement over being able only to specify that a 
reaction will eventually occur. For specifications, we use the 
linear time logic MITLo.oo [3], an extension adding lower 



and upper time bounds to the popular logic LTL. 

Industrial size systems often have a huge discrete state 
space in addition to the infinite state space of timing- 
related parts of the system. We feel that fully symbolic 
verification is a key to tackling large discrete state spaces. 
We, thus, provide a translation of a pair of a timed automa- 
ton representing a system and a MITLo.oo formula into a 
symbolic transition system that can serve as a foundation 
for various symbolic verification methods. It is proven that 
the translated system has a trace if and only if the original 
timed automaton has a trace satisfying the formula. We, 
furthermore, demonstrate how to employ the translation 
for SMT-based bounded model checking using the region- 
abstraction for timed automata [1]. We show completeness 
of the approach and prove the applicability of the region 
abstraction to the transition system. Finally, we evaluate 
the scalability of the approach and the cost for checking 
specifications containing timing experimentally. 

MITLo.oo is a fragment of the logic MITL [3] for which 
the question whether or not a given timed automaton has a 
trace satisfying or violating a given formula is PSPACE com- 
plete [3]. Previously, a verification approach for MITL jCO 
specifications was introduced in [3] and improved upon 
in [4]. At this point, however, there are to our best knowledge 
no implementations or results of experiments using these 
methods available. Additionally, a major difference between 
the techniques described in [3], [4] and our approach lies 
in the precise semantics of timed automata used. While 
previous approaches use dense-time semantics, we extend 
MITLo.oo to super-dense time. Although dense and super- 
dense time semantics of timed automata are often used 
interchangeably in the literature (and in fact do not differ in 
any important fashion when, e.g., verifying reachability con- 
straints), we will show that equivalences between MITLo.oo 
formulas fundamental to the techniques in [3], [4] do not 
hold anymore when using dense-time semantics. 

II. Timed Automata 

We first give basic definitions for timed automata (see e.g. 
[1], [5], [6]). For simplicity, we use basic timed automata 
in the theoretical parts of the paper. However, in practice 
(and the experimental part of the paper) one usually defines 
a network of timed automata that can also have (shared and 




Figure 1. A timed automaton 



local) finite domain non-clock variables manipulated on the 
edges. The symbolic bounded model checking encodings 
presented later in the paper can be extended to handle both 
of these features: see, e.g., [7], [8] on how to handle synchro- 
nization in a network of timed automata. Alternatively, one 
can specify timed systems with a symbolic formalism [9]. 

Let X be a set of real-valued clock variables. A clock 
valuation v is a function v : X — *■ M>o- For S e M>o we 
define the valuation v+5 by Vx E X : (v+5)(x) = v(x)+5. 
The set of clock constraints over X, C(X), is defined by 
the grammar C ::= true | x X n \ C A C where x E X, 
ix e {<,<,=,>,>} and n E N. A valuation v satisfies 
C E C(X), denoted by v \= C, if it evaluates C to true. 

A timed automaton (TA) is a tuple (L, Zj n i t , X, 25, 2") where 

• L is a finite set of locations, 

• /[nit € 2/ is the initial location of the automaton, 

• X is a finite set of real-valued clock variables, 

• E C L x C(X) x 2 X x i is a finite set of edges, each 
edge (Z, 5, 2?, V) E 25 specifying a guard g and a set 2? 
of clocks to be reset, and 

• 2 : L — > C(X) assigns an invariant to each location. 

As an example, Figure 1 shows a part of a timed au- 
tomaton with locations Zi, I2, ..., and two clocks c\ and C2. 
The initial location is l\, having the invariant c\ < 5. The 
invariant of the location 1% is true. The edge from Zi to Z2 
has the guard c 2 > 1 and the reset set {02}. The guard of 
the edge from Z2 to Z3 is true and its reset set is empty. 

A state of a timed automaton A = (L,li n \ t ,X,E,I) is 
a pair (l,v), where I E L is a location and ^ is a clock 
valuation over X. A state (I, v) is (i) initial if Z = Z; n i t and 
^(a;) = for each x E X, and (ii) valid if f |= /(/). 
Let (I, v) and (Z', v') be states of .4. There is a f/me elapse 
step of 5 e M>o time units from (Z,z^) to (l',is'), denoted 
by (l,i/) A (l',i/), if (i) Z = I', (ii) 1/ = 1/ + 5, and 
(iii) (Z', v') is a valid state. Intuitively, there is a time elapse 
step from a state to another if the second state can be reached 
from the first one by letting 5 amount of time pass. There 
is a discrete step from (I, v) to (//, v'), denoted by (I, v) — > 
(I', v'), if there is an edge (I, g, R, I') e E such that (i) v \= 
g, (ii) (V ,v') is a valid state, and (iii) v'(x) = for all 
x E R and v'(x) = v(x) for all x € X \ R. That is, discrete 
steps can be used to change the current location as long as 
the guard and the target location invariant are satisfied. A 
discrete step resets some clocks and leaves the other's values 
unchanged, i.e., a discrete step does not take any time. 

A run of A is an infinite sequence of states n = 



(l ,v ) -2> (Zi,i/i) 



«i. 



such that (i) (l , v Q ) is valid and 



initial, and (ii) (Zj,f,) ^> (h+i^i+i) with some ^ e R 
for each consecutive pair of states. E.g., the automaton 
in Figure 1 has a run (Zi, (0, 0)} — -J- (Zi, (3.5,3.5)) — > 
(Z 2 , (3.5, 0.0)) ^> (Z 3 , (3.5, 0.0)) ^> (Z 3 , (4.6, 1.1)) . . . 
where each clock valuation {c\ y-¥ v,C2 H- w} is abbrevi- 
ated with (f, w). A run is non-zeno if the total amount 
SSo ^ °f l ' me P asse d m the run is infinite. In the rest 
of the paper, we will only consider non-zeno runs. 

Observe that on timed automata runs, the automaton can 
visit multiple locations without time elapsing in between. 
For instance, at the time point 3.5 in the run given above, 
the automaton is after the first time elapse step in location 
Zi, then after the first discrete step in location Z2, and finally 
after the second discrete step in location Z 3 . These kind of 
"super-dense" runs differ from the dense runs that can be 
represented with "signals", i.e. by mapping each time point 
in M>o to a single value. As we will see in the next section, 
considering super-dense timed automata runs complicates 
model checking as, e.g., we cannot get rid of the timed until 
operator in the way we would if dense runs were used. 

Note that previous papers on timed automata use both 
dense (e.g. [1]) and super-dense time (e.g. [5]), often without 
addressing the different semantics. From a practical per- 
spective, super-dense runs appear paradox, as they permit 
multiple successive events to happen with no time passing 
in between. An alternative way of interpreting super-dense 
time, however, is that the amount of time in between events 
is just too small to be of interest and is, thus, abstracted 
away. We also take the fact that Uppaal [2], arguably the 
most successful timed model checker, not only allows for 
super-dense time traces but actually even makes it possible 
to enforce super-dense behaviors by marking locations as 
"urgent" or "committed" as a strong indication that there is 
an interest in super-dense traces in practice. 

III. The Logic MITL 0!OO for super-dense time 

Next, we describe the syntax and semantics of MITLo.oc 
formulas over "super-dense timed traces" which, as dis- 
cussed in Sect. III-C, can represent timed automata runs. 

A. Syntax and Semantics 

Assuming a set AP of atomic propositions, the syntax 
of MITLo i00 formula follows that in [3], and is defined by 
the BNF grammar <p ::= p \ <j) \ -<4> \ <f> A </> | <fi V (f> | 
4> U^,„ 4> I <f> R^j n 4> where p ranges over AP, n ranges 
over N, and x ranges over {<,<,>,>}. Intuitively, a strict 
timed until formula <j> U^, n ip states that <f> holds in all later 
time points until ip holds at a time point t satisfying the 
timing constraint, i.e. t IX n. Rational time constraints could 
be allowed in the temporal operators without influencing the 
expressivity of the logic (see [3] for MITL on dense traces). 
We define the usual abbreviations: true = (p\/^p), false = 



ntrue, F^„ , 



= true U^„ 



andG' 



= false R^„ 



We now define the semantics of MITL oo over "super- 
dense" timed traces, and then later show the correspondence 
of timed automata runs to such traces. A super-dense timed 
trace over a set of atomic propositions AP is an infinite 
sequence a = (Iq, Vo)(Ii,V\) . . ., where 

• each Vi is a subset of AP, 

• each I t is either an open interval (Tj, T?) or a singleton 
[T^T,] with < T % < T! and T u T[ e K> , 

. I = [0, 0], 

. for each i g N it holds that (i) I % = (T t ,T-) implies 
I i+1 = [I?, I?], and (ii) h = [Ti,Ti] implies either 
I i+1 = [Ti,Ti\ or I i+1 = (Tj.IV+i); and 

• every t £ K>o is contained in at least one Ii. 

For each trace element (Ii, vP), equivalently written as (i\), 
the interpretation is that the atomic propositions in Vi hold 
in all the time points in the interval Ii. As consecutive sin- 
gletons are allowed, it is possible for an atomic proposition 
to change its value an arbitrary finite number of times at a 
given time point. This is required to capture timed automata 
traces containing two or more successive discrete steps and 
differentiates super-dense timed traces from dense ones. In 
the semantics part we could have allowed general intervals; 
however, our constructions depend on discriminating the end 
points of left/right-closed intervals and thus we use this 
normal form already here. A dense timed trace is a super- 
dense timed trace with no consecutive singletons (i.e., every 
time point t e R>o occurs in exactly one Ii). 

The set of all points in a trace a is defined by 
T(cr) = {{i,t) I i e N,t e h}. Two points, {i,t),(i' ',£') e 
T(cr), are ordered with the "earlier" relation -< defined by 
(i, t) -i, (i 1 , t') <=> i <i' V (i = i' At < if) and the set of 
all points later than (i,t) is defined by T + (a,(i,t)) := 
{(i',t')eT(a)\(i,t)<(i',t')}. 

Given a super-dense timed trace a over AP, a formula 
<p over AP, and a point (i,t) in a, we define the satisfies 
relation o-( 4 '*) |= <p> iteratively as follows: 

• cr( 2 >*) |= p iff p £ Vi, where p is an atomic proposition. 
. cr^*) \= ^ iff ^(M) \= (/> does not hold. 

. criW \= ((f, A ip) iff <r {ht) \= (j> and a^^ \= ip. 
. o-i^) (= (<f) V ip) iff cr( 4 '*) \= (f) or cr(^*) |= ip. 
. a«.*) h= (^ U^„ iP) iff 3(i',i') e T + (a,(i,t)) : 
(f-tixinjA^*''*') h*)A(V(»",(")er + ( ff ,(i,t)): 

. a^ h (0 R«n tfO iff V(i',0 e T+((7, (*,*)) : 
((f - 1 M n) A ^(ct(''-*') h VO) =* (3(*",t") € 

r + (<r,(i 1 t)):(<" 1 CM« V .OA(/^N)) 
For any formula 0, we abbreviate er( ' ) |= with cr |= (p. 
Example 1: Consider the super-dense timed trace a = 

[0,0]\ /(0,4)\ /[4,4]\ /[4,4]\ /[4,4]\ _ Nqw q 



\ w I \{P}/ \ w7 V «"7 ' ' - 1N0W ff l= p U '^ 4 9 

as cr( 3 ' 4 ' |= q and ct<. 1 >*) |= p for all < i < 3 and < t < 4. 
As an another example, a \= F< 3 ((G< 1 p) A (F< 2 q)) also 
holds because (i) cr*- 1 ^ |= G^p for all < t < 3, and (ii) 
CT (i,t) ^ F s <2 q for a n 2 < t < 4. 



As illustrated in Ex. 1, neither <p nor ip need to hold in 
the current point in order to satisfy <p U^, n ip. Conversely, 
<p V s <n ip with < <G {<, <} does not necessarily hold even 
if ip holds in the first state: e.g., ( r\ ) ( k ) ••• does not 
satisfy p U< 2 <Z- As [3] observes, the reason for this slightly 
unintuitive semantics is that they allow expressing formulas 
that would not be expressible if more intuitive semantics 
where the current point in time is relevant for the timed until 
operator as well were used. On the other hand, expressing 
that <p holds from the current point in time on until ip holds 
can be done using the formula ip V (<p A (<fi U^„ -0))- 

We can define the "untimed versions" of the temporal 
operators with F s = F s > (p, G s cj> = G> (p, <p U s ip = 
<p U> ip, and <pR s ip = <p R> ip. An easily made miscon- 
ception is that the time-aspect of a timed trace is irrelevant 
when evaluating "untimed" operators, i.e., that they could 
be evaluated on w-words obtained when removing intervals 
from a trace; this is not the case. In fact, even when 
not taking the "only in the future" part of the semantics, 
illustrated in the previous example, into account, considering 
the sets of propositions only is not sufficient. As an example, 
the formula p U s q is satisfied on (/'>)(/>)(/ \ 

'[0,0]\ /(0,2)\ /[2,2]\ /(2,3.5)\ 

>}/\M/\{p}/\ M 
the second trace is that as the interval on which q holds is 

an open one, any point in it has a previous point at which 
only q, but not p, holds. This illustrates that even for the 
"untimed" versions of the operators, timing is relevant. 

Observe that with super-dense timed traces we cannot get 
rid of the timed until operator U^ rl by using the "timed 
until is redundant" theorem of [4], vital for the transducer 
construction presented there. That is, <p U>„ ip is not equiv- 
alent to (G<„(0 U ip)) AF> n ip in our setting. 1 For example, 

'»*— CSXt?) KX'SX 1 ?)- ™ 

have a \= pll> 2 q but a y= (G< 2 (p U q)) A F s >2 q as 
(7(4:2) Y= p U q. Likewise, the corresponding equivalences 
used in [3] do not hold when using super-dense time, e.g. 
j)U> 2 q is not equivalent to G s <2 pAG< 2 (gV(pA (p U s p))) 
which can be demonstrated by the exact same trace. 

Similarly, it is not possible to use the classic LTL equality 
(p R ip = (G ip) V (ip U (<p A ip)) to handle timed release 
operator by means of the other operators in our setting: e.g., 

when .= (>«} ('5?) <BJ) <*»)... „h„,h 

<p R s < 3 ip but a ¥= G< 3 ip and a ^ ip U< 3 (<pAip). 

One can verify that the usual dualities hold for the 
operators: -n^cp = <p, -i(<p V ip) = (~<4>) A (~^ip), ->(<f> A 



but not on 



The issue in 



iP) = (^) V (^iP), ^(<pVU n ip) = (-0) R^„ hip), and 
->((/) R^ n ip) = ( _| 0) U^„ (~^ip)- These allow us to trans- 
form a formula into positive normal form in which negations 
only appear in front of atomic propositions. From now on, 
we assume that all formulas are in positive normal form. 

'Here, U is the non-strict until operator, i.e. cfr U ip := ipV(<f>/\(4> U s V)) 



B. Trace Refinement and Fineness 

To perform model checking of MITLo.oo formulas, we do 
not want the values of sub-formulas to change during open 
intervals. We next formalize this and show how it can be 
achieved by means of trace refinement; the definitions and 
results here are extended from those in Sect. 2 of [3]. 

A trace a' is a refinement of a trace a, denoted by 
a' < a, if it can be obtained by replacing each open 
interval (( Ti ' T i>^ in the trace a with a sequence of intervals 
((W.O) (H^,il) (CW,,,)) . . . ((7U_ V 7U)) f 2 fe-i 
consecutive, non-overlapping intervals with k > 1, fa.o = 
T t . and T iik = T[. Naturally, if is a MITL 0iO o formula 
and a' is a refinement of a, then a' J= <f> iff cr |= (p. 

Taking an arbitrary trace a, it may happen that the value 
of a compound sub-formula changes within an open interval. 
To capture the desired case when this does not happen, we 
call a fine for a formula <j> (or <p-fine) if for each sub-formula 
ijj of 4> (including (f> itself), for each interval fa in a, and for 
all t,t' e fa, it holds that a^^ \= ip iff a^'^ \= ip. 

Example 2: The following super-dense timed trace a = 

/[0,0]\ /(0,4.1)\ /[4.1,4.1]\ /[4.1,4.1]\ /[4.1,4.1]\ _ [f , nQt fing 



\{p}/\ M /\ M /\ {?} / \ 
for G s <iP as, e.g., (i) cr^ 1 '*) |= G^p for all < t < 3.1 
but (ii) cr^ 1 '*) y= G^p for all 3.1 < i < 4.1. We can 
make the beginning of the trace G< 1 p-fine by refining it to 

/[0,0]\ /(0,3.1)\ /[3.1,3.1]\ /(3.1,4.1)A /[4.1,4.1]\ 
\{p}/\ M /\ M A M A M 
By definition, every trace a is fine for each atomic 

proposition p e AP. Furthermore, if a is (/>-fine and i/>- 
fine, then it is also fine for -«j>, (j> A ip, and (p V ip. For 
temporal operators U^ rl and R^ n , we have the following 
lemma stating that their values can change only once during 
an open interval given the trace is fine for the sub-formulas: 

Lemma 1: If a trace a is fine for <p and ip,i E N,t,u E Ii, 
< G {<, <}, and > e {>, >}, then 

. if cA*) f= U* n V and u > t, then ct^ h U«„ V; 

. if o-^'*) ^ U^,„ V and u < t, then ct^' 11 ) f= l£ n V; 

. if cr^'*) h R <„ i/> and u < i, then a^ u ~> f= R^„ V; 

R>n^- 



. if cr^'*) h R L ^ and u>t, then cr( 4 < u ) 



Thus, if a is fine for two formulas, it can be made fine for 
their compound by splitting each open interval at most once. 
Lemma 2: Let <f> be a MITLo.oo formula and a a trace. 
There is a refinement a' of a that is </>-fine. Such a refinement 
can be obtained by splitting each open interval in a into at 
most 2 K new open intervals and 2 K — 1 singletons, where 
K is the number of timed until and release operators in <p. 

C. Timed Automata Runs as Super-Dense Timed Traces 

We now describe the relationship between timed automata 
runs and super-dense timed traces. In our theory part, when 
model checking timed automata with MITLo.oo, we assume 
that the atomic propositions only concern locations of the 
automaton. That is, they are of form "@li", where li is a 
location in the automaton. Of course, in the practice when 



compositions of timed automata with discrete local variables 
are handled, the atomic propositions can be more complex. 
However, we do assume that the atomic propositions do not 
change their values during the time elapse steps. 

Consider a run it — (Iq, vq) -2> (l l7 v\) —^ ... of a timed 
automaton A. For each (li, Vi) in it let ti — Xw=o ^i ^ e tne 
cumulative time spent in the run before the state, i.e. ti is 
"the time when the state occurs in n". Thus, at the time point 
ti the automaton is in the state (/j,fj) and we shall have 
\I@V*I) ^ n *^ e corresponding timed trace. The time elapse 
steps in the run produce the missing open intervals: when 
(k,Vi) -^ (k+i,v i+ i) with Si > (and thus k = l i+1 ), 
then an open interval element ( i'@] + \ 

■'"*■' \ and ( l *ti', *, ) in the timed trace. 



3.5 



lies in between 



{@h}/ a " u \ {m,} 

Example 3: The run (h,(0, 0)) -^ (/i, (3.5,3.5)) 
(fa, (3.5,0)) ^ (fa, (3.5,0)) ^> (fa, (4.6, 1.1))... of 
the automaton in Figure 1 corresponds to the trace a = 

/ [0,0] \ / (0,3.5) \ /[3.5,3.5]\ /[3.5,3.B]\ /[3.5,3.5]\ / (3.5,4.6) \ 
\{®Il}/ \{®il}/ \ {®'l> / \ {®h} I \ {@h} I \ {@h} J ■■■ 

Recall that we will need to consider certain refinements of 
timed traces when model checking with MITLo.oo formulas. 
All the refinements of a timed trace produced by a timed 
automata run can be produced by other runs of the same 
automaton. That is, considering a trace coming from a run 
7r = (fa, vq) -^ (fa, v\) — 1 -> ... of a timed automaton, each 
refinement can be obtained by considering the corresponding 
run tt' where each time elapse step (h,Vi) —^ (li+i,Vi+i) 
in 7r, with Si > and U + i = U, is split into a sequence 

(li,Vi) —^ {k,i>i,i) > ■■■ —^ {k,Vi,k) of time elapse 

steps such that ^i<j<fc Kj = ^ ( and thus v i,k = Vi+i)- 



IV. Symbolic Encoding of Timed Traces 

We now describe how to symbolically represent systems 
producing super-dense timed traces. The symbolical repre- 
sentation intended not as a replacement for timed automata 
but as a foundation for their symbolic verification, i.e. it is 
intended for use in the "back-end" of the verification tool 
and not as a modeling language. After the formalism is 
introduced, it will be shown how timed automata can be 
represented in this framework. The next section will then 
address the question of how to encode MITLo iQ o formulas 
in this framework so that they are symbolically evaluated. 
Finally, in Sect. VI it will be demonstrated how finite 
versions of these encodings can be obtained by using region 
abstraction, allowing us to perform actual symbolic model 
checking of MITLo iC o formulas on timed automata. 

A. Symbolic Transition Systems with Clock-like Variables 

In the following, we use standard concepts of proposi- 
tional and first-order logics, and assume that the formulas are 
interpreted modulo some background theory such as linear 
arithmetics (see e.g. [10] and the references therein). Given a 
set of typed variables, a valuation v over the set is a function 



that assigns each variable in the set a value in the domain 
of the variable. We use v |= <j> to denote that v evaluates a 
quantifier-free formula <f> over the set to true. 

A symbolic transition system with clock-like variables, 
for brevity simply referred to as a transition system for the 
remainder of the paper, over a set AP of atomic propositions 
is a tuple {Z,X,1,1NV,T,T,AP), where 

• Z = {zi, . . . , z n } is a set of typed non-clock variables, 
Z' = {z[, . . . , z' n } being their next-state versions, 

• X = {x\, . . . , x m } is a set of non-negative real-valued 
clock variables, X' = {x[, . . . ,x' m } again being their 
next-state versions, 

• X is the initial state formula over Z (J X, 

• IMV is the state invariant formula over Z (J X, 

• T is the transition relation formula over ZU JU{5}U 
Z' U X', with a real-valued duration variable 5, 

• J 7 is a finite set of fairness formulas over Z, and 

• AP associates each atomic proposition p G AP with a 
corresponding formula p over Z. 

To ensure that the clock variables are used properly, we 
require that all the atoms in all the formulas in the system 
follow these rules: (i) if a non-clock variable in Z or in Z' 
occurs in the atom, then none of the variables in XUX'U{8} 
occur in it, and (ii) if a variable in XUX'U{5} occurs in it, 
then it is of the forms x' = 0, x! = x + S, xtx\n, x + 5 cxm, 
or 5[xi0 where oo G {<, <,=, >, >}, x,x' G X and neN. 
Furthermore, for all valuations r over ZUXU{5}UZ'UX' 
such that t |— T, it must hold that r(<5) > and for each 
clock x G X either t(x') — or t(x') = t(x) + t(5). 

A state of the system now is a valuation s over Z U X 
and a run an infinite sequence s — ^> S! — i> s 2 . . . such that 

• #o = and for all i G N we have Si > 0, Sj(a;) > 
when x G X, and o", > =>■ <5j+i = 0, 

. s |= X and s, |= ZA/*V holds for all i G N, 
. for alii e N it holds that {y 1-4 st(y) \y E ZU X}U 
{5 ^ <5J U {y 1 H- s i+ i{y) \ y € Z U X} |= T, and 

• for each f E T, there are infinitely many states s in 
the run for which s |= / holds. 

So, <5i <5 2 



. . . represents the super- 

(I Q ,Vo)(Il,V 1 )(l2,V 2 ) ■■■ 



0, then h = [tj,ti], 



A run t = so — ■> Si —+ 82 
dense timed trace trace (r) = 
over j4P where for each i <G N, 

. Vi = {p E AP I Si \= p}, and 
. letting ti = X)}=o 5 J' W if ^ 

and (ii) if 5i > 0, then /^ = (U,ti + 6i), 

The set of all traces of a transition system S is traces(<S) = 
{trace(r) | r is a run of S}. The transition system S is 
refinement- admitting if er G traces (5) implies a' G 
traces(S) for all the refinements a' of cr. 

B. Encoding Timed Automata Traces 

Recall the correspondence between timed automata runs 
and traces discussed in Sect. III-C. Given a timed automaton 



A = (L, IjmtjX, E, I), we can encode it as a transition 
system S A = (Z ', X ,1 ,1NV ,T ',0 ,A~P) , where 2 

% Z = {at}, where at is a variable with the domain L, 

• I := (at = Ut) A A xex (x = 0), 

. IAAV := A, eL (at = I) =► /(/) 



T:=((5 



V 



= A 5' = 0) 

^9/\(A x eRx' = 0)A(A xeX 



(l,g,r,l')£E 



at=l A at'=i' 



\R- 



0) 



A (((5 > V 5' > 0)=^(at'=at A A KeX x'=x+(5)) 
A (<5 = V 5' = 0) 
(Recall that <5 special real-valued duration variable) 

• j4P associates each atomic proposition @l, where I G 
L, with the formula (at = I), 

Now traces(<S_4) is exactly the set of super-dense timed 
traces corresponding to the runs of the automaton A. Every 
state of S_a corresponds to a time interval in the timed trace 
of A. Thus, there are three types of transitions encoded in T. 
Firstly, a singleton-to-singleton transition, corresponding to a 
discrete transition of A, occurs when 6 and 5' are both zero. 
Secondly, a singleton-to-open transition occurs when the 6 
is zero and 6' non-zero. On such a transition, all variables 
remain unchanged. Hence, the clocks values correspond to 
the left bound of the interval. Thirdly, on a open-to-singleton 
transition (5 > and 6' = 0) the clock variables are updated 
according to the length of the open interval. 

Due to the "repetition of time elapse steps" property 
of timed automata discussed in Sect. III-C, the transition 
system S_a is also refinement-admitting. 

V. Symbolic Encoding of MITL .oo formulas 

Let S = (Z,X,2,2J\fV,T,T,A~P) be a transition 
system over AP encoding some timed system producing 
super-dense timed traces. We now augment S with new 
variables and constraints so that MITLo !C o formulas over 
AP are symbolically evaluated in the runs of the transi- 
tion systems. We say that the resulting transition system 
St = (ZUZ 4> ,XUX (t> ,lAl 4) ,lAfV,TAT c t > ,TUT 4> ,AP) 
over AP encodes <j> if Z^ includes a Boolean variable \[ip]\ for 
each sub-formula ip of <\> (including <\> itself). Furthermore, 
we require two conditions on such encodings. 

First, we want to make sure that the encoding S^, is sound 
in the following senses: 

• all the traces of S (i.e, projections of runs to the atomic 
propositions) are preserved: traces(<!>0) = traccs(S) 

• when <fi is holds in a state, then it holds in the 
corresponding interval: for each run r = sqSi . . . of 
S,/, with trace(r) = a = (Iq,vo)(Ii,V\) . . ., and each 
% G N, Si(l4>]) = true implies \/t € h : cr^*) |= <p. 

For fine traces we want to faithfully capture the cases when 
a formula holds on some interval. To this end, we say that 

2 Strictly, the atoms 8' = and 8' > are not allowed in T; this can be 
handled by adding new Boolean variables <5 = and 8 > in Z, forcing 
8 = => (8 = 0) and 8 >0 => (8 > 0) in T, and then using 8 = ' 
instead of 8' = and 8 > 0' instead of 5' > in the rest of T. 



the encoding S<p is complete if for every </>-fine trace a — 
(lo, v o)(Ii, v i)(h,V2) ■ • ■ in traces(S), there is a run r = 
S0S1S2 • • ■ in Stf, such that trace(r) = a and for all points 
(i,t) in a it holds that u^'*) |= implies i>j(|[</>]|) = true. 
Therefore, our model checking task "Does a refinement- 
admitting transition system S have a run corresponding to a 
trace a with cr |= </>?" is reduced to the problem of deciding 
whether S<p has a run S0S1S2 . . . with so ([</>]) = true. 

A. Encoding Propositional Subformulas 

Let S = (Z,X,1,1MV,T,T,A~P) be a transition 
system over AP. For the atomic formulas <\> of forms p 
and ->p, it is possible to make a transition system <S^ = 
(Z U {[p]} , X,X,XMV, TAT4,,T,AP} encoding by (i) 
defining T := ([0] <=> p) if = p and (ii) 7^, := (|[0]| <^> 
-ip) if = -ip. Similarly, assuming that </> is either of form 
aAf3 or aV/3 for some MITLo.oo formulas a and /3, and that 
S encodes both a and j3, we can make a transition system 
5 = (ZU{[p]},.X',Z,ZA/V,TA7},.F,i4P> encoding <\> 
as follows: (i) if <f> = a V /?, then T := ([</>] «• (|[a]| V |[/3]|)), 
and, (ii) if 4> = a A /3, then T := ([</>] «■ (|[a]| A |[/3])). 

The lemmas for the soundness and completeness of the 
encodings are given in Sect. V-C. 

B. Encoding MITL ^operators 

In the following sub-sections, we present encodings for 
the other MITLo.oo operators. In each encoding, we may 
introduce some new non-clock and clock variables such as 
c and lefto; these variables are "local" to the encoded sub- 
formula ip and not used elsewhere, we do not subscript them 
(e.g. c really means c,/,) for the sake of readability. We also 
introduce new transition relation constraints (i.e. conjuncts 
in %p), initial state constraints and fairness conditions. We 
will use open as a shorthand for (6 > 0). 

1) Encoding I \J s <n r and I R^ n r with < G {<,<}•' 
These operators can be expressed with simpler ones by using 
the following lemma (proven in the appendix): 

Lemma 3: o^ ^^U^ n ^ iff a 1 - 1 ^ \= (¥ s <n V>) A U s 
ip) for alH e N, t e h, < € {<, <}, and neN. 
Using the U^ n / R^„ duality, we can now also express 
0R^as (G^ n ^)A(0R s V). 

2) Encoding I U s r: We encode "untimed" until formulas 
I V s r essentially like in the traditional LTL case [11] but 
must consider open intervals and singletons separately. 

Assume I U s r holds on the current interval. If that interval 
is open, I and one of the following hold: (i) r holds on the 
current interval, (ii) r holds on the next interval (which is a 
singleton), or (iii) I holds on the next interval and I U s r is 
satisfied as well. This is captured by the following constraint: 

\[l U s rJAopen => \[l}\ A (\[r}\ V |[r]|' V (\[lf A \[l U s r]')) (D 

If, in contrast, the current interval is a singleton, then there 
are two possibilities: (i) the next interval is a singleton and 
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Figure 2. Encoding I U s r and F s <3 r 

r holds, or (ii) both / and I U s r hold on the next interval: 
\[l U s r]A-.open =► (-open'A|[r|') V (|[Z]|'a|[Z U s r]') (2) 

Finally, as in the traditional LTL encoding, we must add a 
fairness condition in order to avoid the case where \[l U s r]\ 
and p]| are true on all intervals starting from some point 
but r does not hold at any future time point, i.e. J^uv = 
H[ZU s r]|V|[r]|}. 

Example 4: Figure 2 illustrates an evaluation of the en- 
coding variables on a trace (ignore the text below the dashed 
line for now). Note that [/ U s r]\ is (correctly) evaluated to 
true on the second [6, 6]-interval despite / not holding. 

3) Encoding F< r: A formula F< r holding requires a 
future interval at which r holds and which can be reached 
without any time passing. Thus, F< r is satisfied only on a 
singleton where the next interval is a singleton as well and 
(i) r or (ii) F< r holds on the next interval: 



f: 



<o' 



^open A -nopen 1 A (|[r]|' V |[F< r]\') (3) 



No fairness conditions are needed as the non-zenoness 
requirement always guarantees a future open interval. 

4) Encoding F s <n r with n > 0: In the encoding of F^ n , 
we first add the constraints for U s replacing / by true. 



[F<„ r] A open 


=> 


IW|VW'v|K„r|' 


(4) 


\Kn r }\ A ^ open 


=> 


W'vK„r]|' 


(5) 



Next, we observe that for encoding timing related aspect, 
it is sufficient to at any point remember the earliest interval 
at which F^ rl r holds and after which r has not held yet. 
If r is encountered in time for the earliest such interval, 
then interval where r holds is close enough to any later 
interval where |[FJ,„ r]\ holds as well. Correspondingly, we 
use a real-valued (clock-like) auxiliary variable c and a 
boolean auxiliary variable lefto to remember the time passed 
since and type of the earliest interval on which \\F s <n r]\ held 
and after which we have not seen \[r]\. The correct values 
in the first interval are forced by the initial state formula 
Zf» r := c = A -1 lefto. To update c and lefto, we define 
the shorthand R c to be true when we have not seen \[¥ s <n r}\ 
without seeing r afterwards or r holds on an open current 
or an arbitrary next interval. 

R c := HR„ r] V (open A \[r}\) V |[rf) A [F^„ r]' (6) 



We then (i) reset c and lefto on the next interval if R c holds 
on the current interval, and (ii) update c and leave lefto 
unchanged if R c does not hold. 

R c => c' = A (lefto' <£> open') (7) 

^R c =4> c' = c + S A (lefto' ^> lefto) (8) 

We introduce a shorthand T c (defined below) such that 
T c holds if for each point on the interval where we reset 
c there is a point on the next interval that satisfies the <n 
constraint. We then require that \[F s <n r]\ being true, and r 
being false or the current interval being a singleton implies 
that T r holds. 



\K n r]\A^(\[r]\Aopen)) 



(9) 



In the case of F<„ r, we define T c := c + 5 < n V 
(lefto A c + 8 <n) and in the case of F<„ r we define 
T c := c + S < n V ((^open' V lefto) Ac + S< n). 

Example 5: An evaluation of the encoding variables is 
shown (below the dashed line) in Figure 2. Especially, 
observe that |[F> 3 r]\ is not evaluated to true on the interval 
(6, 9.3) although F> 3 r holds on some points in the interval: 
we are interested in sound encodings and |[F> 3 r]\ does not 
hold on all the points in the interval. 

5) Encoding I U^ n r with >€{>,>}: To encode I \J s >n 
r, we define shorthands T c and f. T c will later be defined so 
that T c holds iff for every previous point at which |[Z U£. n r]\ 
held there is a point on the current interval that satisfies the 
\>n timing constraint. We, then, define f := \[r]\ A T c . Next, 
we add a boolean "obligation" variable oblig to remember 
when we need to see f at a future point. Whenever \[l U^,„ r]\ 
is true, we also require oblig to be true. 



U^„ r}\ => oblig 



(10) 



In case n > 0, we additionally require o&% and Z to hold 
on the next interval. 



\[lVl n r]\^(oblig'Al') 



(11) 



Next, we add constraints similar to those for the U s -operator 
but with \[l U s >n r}\ and \[r]\ replaced by oblig and r, 

(oblig A open) => (\[l]\ A (r V r ' V (\[lf A oblig'))) (12) 
(oblig A ^open) => ((^open' A f') V (\[lf A oblig')) (13) 

We want to determine whether the >n constraint holds 
for all previous points at which \[l U k >n r]\ holds. We, thus, 
use a real-valued variable c and a boolean variable righto 
to measure the time since the most recent corresponding 
interval. We, thus, reset c to zero and use righto to remember 
the type of the current interval whenever \[l U£„ r]\ holds. 
Otherwise, we update c and righto as before. 



U^„ r] 
U^„ r] 



c' = A (righto' 4^> open) (14) 

d = c + S A (righto' ^> righto) (15) 
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Figure 3. Encoding / U?^ r 



Next, in case / U>„ r, we define T c := c + S > n V 
(righto A c + S > n) and in case I U>„ r we define T c := 
c + 5 > n V ((righto V -^open) Ac + iJ> n). 

Finally, as for the untimed U s -operator, we need a fairness 
condition to prevent a situation where oblig holds globally 
but r never holds. We define J 7 ;^ r := {^obligV \[r]\}. 
Note that, here, we use |[r|, not f. For instance, when / U^.„ r 
and r hold globally, there may never be a point where T c is 
true and thus f always stays false. 

Example 6: Figure 3 illustrates how the encoding vari- 
ables of I U> 3 r variables could be evaluated on a trace. 
Again, \[l U> 3 r]\ is not true on the interval (6, 9.3) because 
/ U> 3 r holds only on some points on it but not on all. 

6) Encoding I R s r: For encoding I R s r, we use 
an auxiliary boolean variable oblig. Intuitively, oblig being 
true means that before seeing any point at which \[r]\ is 
false, we need to see a point where |[Z| is true. 

We require oblig to hold on the current interval when 
\[l R s r]\ holds on an open interval and on the next interval 
when \[l R s r]\ holds on a singleton. 

(\[l R s r}\ A open) =*> oblig (16) 

(pR s r]| A^open) => oblig' (17) 

The obligation to see I before -^r remains active until / holds: 

oblig => (p]| V oblig') (18) 

As a final constraint, r needs to hold on all intervals where 
the obligation is true, with the exception of open intervals 
on which I holds, leading to 



oblige ((open A \[lj) V \[r}\) 



(19) 



7) Encoding G< r: G< r trivially holds when the cur- 
rent or the next interval is open. Furthermore, G< r holds 
when both current and next interval are singletons and r and 
G< r hold on me next interval. 



\[Gl 



<o ■ 



(open V open' V (\[rf A |[G< r]\')) (20) 



8) Encoding G s <n r with n > 0: First, we require that r 
holds on all open intervals on which |[G^ n r]\ holds. Further- 
more, we will later define a shorthand T c to hold whenever 
there is an interval on which |[G^ n r]\ held sufficiently shortly 
in the past to still require r to hold, resulting in 



((|[G» n r] A open) VT C ) =►[»•] 



(21) 
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Figure 4. Encoding I R> 2 *"• 



a; 



Like in the U^, encoding, we use a real-valued variable c 
and a boolean variable righto to measure time from the 
most recent interval at which |[G;1„ r]\ held. 



|[G* ? 



<]n 

c = A (righto <=> open) (22) 

c' = c+(SA (righto' <^> righto) (23) 



Now, in the case of G<„ we define T c := c < n and for 
G< n we define T c :— c < n\/ (c < n A -.open A -.righto) 
9) Encoding I R^ n r: For encoding the lower bound until 
operators, we use a boolean variable oblig and the same 
update rules as for the untimed R s operator. 



(\[l R^„ r}\ A open) 



Rl 



r]\ A ^open) 
oblig 



oblig (24) 

oblig (25) 

(p| V oblig') (26) 



We add a modified version of Constraint 18 and use a 
shorthand T c (defined later) to identify intervals that contain 
time points \>n from a point where \[l R£,„ r]\ holds. 



(oblig A T c 



A open) V \[r]\ 



(27) 



Next, we add a constraint for intervals of length > n. On 
such an interval, I or r has to hold if \[l R^ n r]\ holds. 



Rl n r]\A5>n)^(\[l]\\/\[r}\) 



For encoding R^„, we use an auxiliary real-valued vari- 
able c and a boolean variable lefto to measure the time 
passed since the earliest interval at which \[l R^ n r]\ holds 
and whose obligation to see I before r is still active. This is, 
in principle, similar to the FJ,„ encoding except for a special 
case illustrated in Figure 4. Here, on the fourth interval c 
and lefto are needed for two purposes: to measure the time 
passed since the second interval (which introduced a still 
open obligation) and to start measuring time since the cur- 
rent interval (which introduces a fresh obligation as |[Z| holds 
satisfying the previous obligation). We define a shorthand 
D c := (^open A oblig A I A \[l R^„ r]\) to captures precisely 
this situation and will later delay resetting c by one step 
whenever D c holds. Otherwise, c needs to be reset on the 
next interval if \[l R s >n r]\ holds on that interval and (i) if there 
is an open obligation it is satisfied on the current interval and 
(ii) the current interval is not a singleton on which \[l R^,„ r]\ 
holds, i.e. does not add an obligation to the next interval, 
i.e. R c := \[l R^„ r]|' A (-.oblig V I) A (open V -.[/ R^ n r]\). 



As said before, we delay resetting c and lefto by one 
interval when D c holds, i.e. set c to and lefto to false. 



Dr. 



(c' = 0A^lefto') (29) 

When R c holds, c and lefto are reset as for the FJ,„ operator 
and when neither holds we update them as usual: 

(c'=0A (lefto ^> open')) (30) 

)^(c' = c + 5A (lefto' «• lefto)) (31) 



R c ^> 
(-.R c A ->D C 



We set the initial values of c and lefto to correspond 
measuring time from the initial interval, i.e. 2/rs ir r j| := c = 
OA^lefto. 

Finally, we define T c to hold precisely if there is a point on 
the current interval that is >n time units away from a point 
belonging to the interval at which we started measuring time. 
In the case of R>„, we define T c := c + 5 > n and for R> n 
we define T c := c + d~ > nV (-i lefto A^ open A c + 6 > n)). 

C. Soundness and Completeness of the Encodings 

The encoding just given is sound and complete in the 
sense defined by the following lemmas which are proven in 
the appendix. 

Lemma 4: The transition system S p is a sound encoding 
for p and S^ p is a sound encoding for -<p. If a transition 
system S over AP is a sound encoding of a and j3, then 
the transition system Sopa over AP is a sound encoding of 
Op a for each Op € {F s < ,F 8 <n ,F'< n) G 8 < ,G' <n ,G , < n }, 
and SaOpp is a sound encoding of a Op j3 for each Op <G 
{A,V,U 8 ,U 8 >„,U' >Tl ,R',R 8 > n ,R 8 >n }. 

Lemma 5: The transition system S p is a complete encod- 
ing for p, S^ p is a complete encoding for ->p. If a transition 
system S over AP is a complete encoding of a and /?, then 
the transition system So pa over AP is a complete encoding 
of Op a for each Op e {F s < , F s <n , F s <„, G s < , G s <„, G s <„}, 
and S a opp is a complete encoding of a Op j3 for each 
Op e {A,V,U s ,U s > n ,U s >n ,R s ,R s >„,RU}. 

VI. Bounded Model Checking 

Naturally, one cannot directly handle infinite formula 
representations capturing infinite runs with SMT solvers. 
Thus in bounded model checking (BMC) one considers finite 
representations, i.e. looping, lasso-shaped paths only. We 
show that, by using region abstraction [1], we can indeed 
capture all runs that satisfy a MITL 0oo formula with such 
finite representations. For this we must assume that the 
domains of all the non-clock variables in Z are finite. 

Assume a transition system (Z, X, I, XAfV,T, J 7 , AP) 
over a set AP of atomic propositions. For each clock x <G X, 
let m x be the largest constant n occurring in atoms of forms 
x cxi n and x + 5 txi n in I, XAfV, and T ■ Two states, s 
and t (i.e. valuations over ZUlas defined in Sect. IV-A), 
belong to the same equivalence class called region, denoted 
by s w t, if (i) s(z) — t(z) for each non-clock variable 
z ^ Z, and (ii) for all clocks x, y <G X 



[t(x)\ or (b) s{x) > 



and 



1) either (a) [ s ( a; )J 
t(x) > m x ; 

2) if s(x) < m x , then fract(s(a;)) = iff fract(£(a:)) = 
0, where fract(i) denotes the fractional part of i; and 

3) if s(x) < m x and s(y) < m y , then fract(s(a;)) < 
fract (s(y)) iff fract (*(»)) < fract (i(y)). 

Next, we will apply the bisimulation property of regions 
introduced in [1] to transition systems. 

Lemma 6: Assume two states, s and t, such that s s=s i. 
It holds that (i) s |= J iff i |= X, and (ii) s |= 1NV iff 
£ |= IJ\fV. Furthermore, if there is a 5 S <G M>o and a state 
s' such that s U {5 >->■ S s } U {y 1 i-4 s'(y) | y e X U Z} (= 
T, then there is a St € K>o an d a state £' such that 
t U {6 i-> (5J U {y' h^ £'(y) | y e X U Z} |= T and s' w £'. 
Lemma 6 is proven in the appendix. 

When the domains of the non-clock variables are finite, 
as we have assumed, the set of equivalence classes induced 
by w is finite, too. In this case we can prove, in a similar 
fashion as the corresponding lemma in [12], that all runs 
of a transition system also have corresponding runs whose 
projections on the equivalences classes induced by s=s are 
lasso-shaped looping runs: 

Lemma 7: Let Vol be the set of all valuations over Z 
and Reg the set of clock regions. If the transition system S 
has an arbitrary infinite run starting in some state Sq, then it 
also has a run run r = sq -£*■ si -^ S2 — ^> ■ ■ ■ such that for 
some i, k e N with < i < k< (\X\ + \T\ + 2)-\Val\-\Reg\ 
and for every j with j > i we have Sj w Sj+k-i+i' 

Intuitively, Lemma 7 states that if S has a run starting 
in a given state, then S has a run starting in the same 
state that begins to loop through the same regions after 
a finite prefix. E.g., if i = 7 and k = 10, then S7 s=s 
S11 ~ «15 ~ S19 . . . and s 8 w s 12 w s 16 w s 20 • . •• In 
particular, Lemma 7 implies that if we are interested in 
whether S has any run at all, it is sufficient to search for 
runs that are lasso-shaped under the region abstraction. Such 
runs can be captured with finite bounded model checking 
encodings. Given a formula ip over ZUlU {6} UZ'UI' 
and an index i e N, let i}M be the the formula over 
{yW j y e z U X U {6}} U {y[ i+1 l | y e Z U X} obtained 
by replacing each variable y G ZUXU{(5} with the variable 
yW and each y' e Z' U X' with the variable y[* +1 l. E.g., 
((a/ = cc + (5) A -p)[ 3 ] is (xW = x^ + 5^) A V 3] )- Now 
the bounded model checking encoding for bound k is: 

[S, k}\ := tf[°] = AIM A Ao^xfe^AAV^' 1 A 

Ao<,< fe r^ a Ai< J<fe (fo^^ =* £? iifc ) a 

Ao<,< fe (^' 1 >0^^ +11 =0)A 
Fair*; A NonZenok A Vi<i<fe ^ 00 P 

where (i) £"j ^ is a formula evaluating to true if state j—1 and 
state fc (i.e. the valuations of the variables with superscripts 
j — 1 and k, respectively) are in the same region (see [12] 
for different ways to implement this), and (ii) Fair^. and 
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Figure 5. Experimental results 



NonZenok are constraints forcing that the fairness formulas 
are holding in the loop and that sufficiently much time 
passes in the loop to unroll it to a non-zeno run (again, 
see [12]). Intuitively, the conjuncts of \[S, k]\ encode the 
following: (a) the first interval is a singleton and satisfies 
the initial constraint, (b) all intervals satisfy the invariant 
and all pairs of successive states the transition relation, (c) 
if some loop"' holds then state j — 1 and state k are in the 
same region, (d) there are no two successive open intervals, 
(e) the fairness formulas are satisfied within the looping 
part of the trace, (f) the trace is non-zeno and (g) at least 
one loop"' is true, meaning that the trace is "looping under 
region abstraction". 

Now, if we wish to find out whether a transition system 
S has a run corresponding to a trace a such that a \= <fi 
for a MITLo.co formula <j), we can check whether [5^, fc| A 
\[4>} [0] is satisfiable for some < k < (\X\ + |J"| + 2) • 
I VaZ I • I i?eg I . This upper bound is very large and, in practice, 
much lower bounds are often used (and sufficient for finding 
traces). Then, however, the possibility remains that a trace 
exists despite none being found with the bound used. 

VII. Experimental Evaluation 

We have studied the feasibility of the BMC encoding 
developed in this paper experimentally. We have devised a 
straightforward implementation of the approach following 
the encoding scheme given in Sect. IV and V. With experi- 
ments on a class of models we (i) show that it is possible to 
develop relatively efficient implementations of the approach, 
(ii) demonstrate that the approach scales reasonably and 
(iii) are able to estimate the cost of timing by comparing 
the verification of properties using timed operators both 
to verifying MITLo.oo properties that do not use timing 
constraints and region-based LTL BMC [12], [13]. 

As a model for the experimentation we used the Fischer 
mutual exclusion protocol with two to 20 agents. This proto- 
col is commonly used for the evaluation of timed verification 
approaches. The encoding used for the experiments is based 
on a model that comes with the model checker Uppaal [2] 
which also uses super-dense time. We checked one property 



that holds ("requesting state leads to waiting state even- 
tually") and one that does not ("there is no trace visiting 
the critical section and the non-critical section infinitely 
often"). 3 Each property was checked in three variants: as 
an LTL property using the approach from [12], as the 
corresponding MITL property (only untimed operators) and 
with timing constraints added. Both MITL BMC and LTL 
BMC were used in an incremental fashion, i.e. bounds are 
increased starting with bound one until a counter-example is 
found and constraints are shared by successive SMT solver 
calls where possible. All experiments were run under Linux 
on Intel Xeon X5650 CPUs limiting memory to 4 GB and 
CPU time to 20 minutes. As an SMT solver, Yices [14] ver- 
sion 1.0.37 was used. All plots report minimum, maximum 
and median over 1 1 executions. The implementation and the 
benchmark used are available on the first author's website. 
Figure 5a shows the time needed for finding a counter- 
example to the non-holding property. No timeouts were 
encountered, even when using the timed MITL properties. 
Figures 5b shows the maximum bound reached within 20 
minutes when checking the holding property. The bounds 
reached for the timed property are significantly lower than 
the bounds reached for the LTL property with the untimed 
MITL BMC bounds lying between. While there is both a 
cost for using the MITL framework for an untimed property 
and an additional cost for adding timing constraints, check- 
ing timed constraints using MITL BMC is certainly feasible. 
The performance could be further improved using well- 
known optimization techniques e.g. by adding the possibility 
for finite counter-examples [11], a technique used in the 
LTL BMC implementation used for the experiments. When 
verifying properties without timing constraints, using LTL 
BMC, however, is advisable not only because of the better 
performance but also because a lower bound is needed to 
find a trace as open intervals are irrelevant for LTL formulas. 

VIII. Conclusions 

In this paper, we extend the linear time logic MITLo,oo 
to super-dense time semantics. We devise a method to 
encode both a timed automaton and a MITLo iQ o formula 
as a symbolic transition system. The encoding provides a 
foundation for different kinds of fully symbolic verification 
methods. Soundness and completeness of the encoding are 
proven in the appendix. Furthermore, we demonstrate how 
the encoding can be employed for bounded model checking 
(BMC) using the well-known region abstraction. We have 
implemented the approach. An experimental evaluation of 
the BMC approach indicated that a reasonably efficient 
implementation is feasible. 
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Appendix 

A. Duality of until and release operators 

Lemma 8: For any trace a = (Iq,vq), {I\,v\), . . . over 

AP, MITLo.co formulas and ip over AP, i £ N, t £ Ii it 

holds that a^ h (0 U^„ V) iff <r (i>t) h -(-0 R^„ -V0 

Proo/:- cA*) |= -.(-.0 R^„ -.V) if and only if (by 

definition) 

-V{i',t') £ T+(<r, (*,*)) : ((f -( M n) A >(•'*') f= 
-V)) => (3(i",t") € T + (<r,(M)) : (i",f) -< (*',£') A 

if and only if (pushing negations inside) 

3{i',t') £ T+{a,(i,t)) : ((*' - 1 M n) A -.(*<*'•*'> |= 

-V)) A (V(*",f) G T+(a,(i,t)) : (*",t") -< (i'.f) =► 

if and only if (replacing -i(u^ '* ** \= -■•)) by (cr^ : * ' |= •)) 
3(i',f) G T+(o-,(*,t)) : (f - * Cxi n) A (o^'-*') h V-)) A 
(V(i",i") G T+(a,(i,t)) : (i",t") -< (i',f) =* (*(*"■«"> |= 

0)) 

if and only if (by definition) cA*) \= (0 U^„ V)- ■ 

Lemma 9: For any trace a — (lo, t>o), (I\, i>i), . . . over 

4P, MITLo.co formulas and ip over ,4P, z G N, t G /j it 

holds that a^ |= (0 R^„ V) iff CT «.*) [= ^0 U^„ -V) 

Proq/:- o-^'*) \= -.(-.0 U^ n -nV) iff (by Lemma 8) 



■■(«>*) 



r^-*) 1= 



h -H- 



Rl 



t0)) iff (double negations) 



'Rm„VO- 



B. Proof of Lemma 1 

Lemma 1: If a trace cr is fine for and ^>, i G N, t, u G ij, 
< G {<, <}, and > G {>, >}, then 

. if cA*) h <t> U« n -0 and u > t, then a^ u ~> \= U^„ V; 

. if ct^'*) (= U>n V> and u < t, then cA") h Kn fr 

. if o-^'*) \= R^„ V and u < t, then cA") \= R^„ V; 

. if (7^'*) h R^„ ^ and u > i, then cA u ) |= R*„ V- 
Proof: If 7, is a singleton, then the lemma holds 
trivially. Thus, assume that Ii is an open interval. We have 
the following four cases. 

• Assume that c0 4,t ' J= \J s <n ip. Thus there exists a 
(i 1 , if) £ T + (a, (i, £)) such that (*' - t<n) A (<?&>*"> \= 
1>)A (V(*",t") G T+fo (*,*)), (*",*") -< (t',f) =* 
( CT (i",t') |= ^)), Let u > t with u G 7 4 . Now 
T+(a,(i,«))Cr + (cr, (*,*)). 

If i' > i or %' = iAu < t', then (t' - u<n)A(a ( - z '' t '^ \= 
^)A(V(t",«") G r + (a,(t,«)),(*",t") ^ (i',i') =► 
( CT (* ^* ) | = (j^Y implying cr( l > u ) \= <j)\J s <n -0 irrespec- 
tive whether a is fine for <f> and tp or not. 
If i' = i and u > t 1 , then there is a u' > u with v! £ h 
and u' — u<n as Jj is an open interval. As a is fine for 
4> and u^'*') |= V>, it holds that o-( 4 ' u ') |= ^ as well. As 
V(M") G T+(a, (»,*)),(*,«") ^ (t,* 7 ) =► (cr(*.*") h 
4>), there is at least one t < t" < £', and cr is fine for 
4>, we have V(t,u") G T + (ct, (i,u)), («,«") -< (i,w ; ) =4> 



Assume that cr^'*^ |= U^, n ip. Thus there exists a 
(i',t') £ T+(a,(i,t)) such that (*' - t>n) A {a^'J") \= 
^A(V(i",t") G T + (a,(t,t)),(*",t") ^ (i'.f) =» 
(cr( 1 "'* ') |= 0)). Let u < t with u G P. Thus t' -u> 
n. Because (i) V(i",t") £ T + (a,(i,t)),(i",t") ■< 
(i',t') =4> (c7(*"' t ") |= 0), (ii) there is at least one 
t < t" < t' with t" G p as I; is open, and (iii) a is 
fine for 0, we have V(i",t") G T+(a, (i,u)), {i",t") -< 
(i\t') =4> (cr( J "'*") (= 0). Therefore, a^ u ~> \= 4> U^„ V- 
Assume that a^^ |= R% n ip. Thus V(i',i') G 
T + (a,(i,t)),((t'-t<n) A ^'M |= 0-)) =* 
(3(^,f) G T + (a,(t,t)),(*",t") ^ (i',* 7 ) A 
(cr( 1 ".*") |= 0)). Let u < t with u £ I { . 
Suppose that (V - 1' < n) A -.(ct^"'"') |= V) for 
some (j,u') £ T + (a,{i,u)). If (i,t) -< (j',u'), 
then 3(»",«") G T + (cr, (i,t)), (»«,t") ^ (j'.«') A 
(cr( 1 ".*") |= 0). On the other hand, if (j',u') = (i,t) 
or (/,«') -< (i,i), then / = i, ^(cr( 4 ' t ') f= 0>) for 
all v £ Ii as a is fine for -0, there is a (i,i") G 
T+(v,(i,t)),(i,t) -< {i,t") A {a^'") h 4>) as I 4 is 
open, erf 1 ' 11 ) |= for all v £ h as a is fine for 0, and 

a(^) |= R<„ 0- 

Assume that cr( 4 '*) |= R^,„ -0. Thus V(i',i') £ 
T + (a,(i,t)),((t'-t>n) A ->(*'■*') h V-)) =*> 
(3(i;;,t") G T + (<r,(i,*)),(i",t") -< (i',f) A 
(o-(*".*") |= 0)). Let u > i with u G Ii. Suppose that 
(u' - u > n) A -i(a^ ,u '- > |= V) f° r some (j',u') £ 
T + (a,(i,u)). As u' — ion, there exists a (i",t") £ 
T+{a,(i,t)) such that (i",i") -<; (i',i') A (cr^"'*") |= 
0)). If (j',u') -< (i",t"), we are done. On the other 
hand, if {i",t") = (j',w') or {i",t") -< {j',u'), then 
cr(*'") |= for all w £ Ii as cr is fine for 0, there exists 
a (0j") such that (i,j) -< (i,j") -< (j',u') as I t is 
open, and thus a^-^ |= R^ n ^. 



C. Proof of Lemma 2 

Lemma 2: Let be a MITL 0!OO formula and cr a trace. 
There is a refinement cr' of cr that is 0-fine. Such a refinement 
can be obtained by splitting each open interval in a into at 
most 2 K new open intervals and 2 K — 1 singletons, where 
K is the number of timed until and release operators in 0. 
Proof: Let [0i,...,0„] be a list containing all the sub- 
formulas of so that the sub-formulas of a sub-formula 0j 
are listed before 0j. Thus 0i is an atomic proposition and 

0n = 0- 

We now construct a trace Oi for each 1 < i < n such that 
<7j is fine for all sub-formulas 0j with 1 < j < i. 



If, 



is an atomic proposition or of forms _ '0j, 0j A 0^, 



or 0j V 0fe with j, k < i, then cr^ = cr^-i is fine for 



well. 

If 0, is an until or release formula of forms 



(* 



(»,«") 



Therefore, ct^'") |= U^„ V- 



^j U^,„ 0fc 



or 0j R^, n 0fe, then by (i) recalling that ctj_! is fine for 0^ 



and 4>k (ii) applying Lemma 1, we obtain a i^-fine trace <jj 
by splitting each open interval in ctj_i into at most two new 
open intervals and one singleton interval. ■ 

D. Proof of Lemma 3 

Lemma 3: a^ \= (j) U^„ V iff v {i,t) 1= (Kn VO A O U s 
tp) for all i e N, t G I t , < G {<, <}, and neN. 

Proo/:- Recall that er^*) |= (0 U^„ V) iff 3(i',*') € 
T + (a, (*, t)) : (C-iMn)A (cr** ■*') H) A (V(t", t") € 
T+(<r, (*,*)) : (»",*") -< (t'.f) =* (cr«".*") |= 0)). 

• The "=$>" part. 

As is easy to see from the semantics, (j(*'*) |= (0 U^ n 
V>) implies both (i) o^'*) \= {<j> U s V) and (ii) a^ \= 
(true U^, n V) corresponding to u^'*-' |= F^, n V- 

• The "^=" part. 

By the semantics, if a^^ \= (</> U s ip) we can pick 
a (i',t') G T + (c7, (i,t)) such that (i'-t > 0) A 
(*(''.*') |= ^p(i"X) G T + (a,(i,t)) : (i",i") -< 
(i',t') =£- (cr^ '* ' |= 0)). We have two cases now: 

- If £' — £ < n, then we immediately have o-( 4 '*) |= 

- Otherwise, u^'*) |= FJ,„ V allows us to pick 
(/,«') G T + ((T, («,£)) such that (u' - t <n) A 
( a U , u ) |= ipy As u' — t < n, we know that 
(j',u') -< (i',t'), which in turn implies that 
\/(i",t") G T + (cr, (*,*)) : (*",*") -< (/,«') =► 
(cr( J "'*") |= 0). Thus we obtain a^ \= {<j> X5 s <n 
V). 



£. Soundness proofs 

Lemma 4: The transition system S p is a sound encoding 
for p and <S^ p is a sound encoding for ->p. If a transition 
system S over AP is a sound encoding of a and /?, then 
the transition system <So P « over ^4-P is a sound encoding of 
Op a for each Op G {F s < ,F^ n ,F s <„,G s < ,G s <n ,G s < n }, 
and SuOpp is a sound encoding of a Op /3 for each Op G 

{A,V,U*,U'> n ,U« >r , ) R s ) R , > n ,R' >n }. 

Recall, that we call an encoding 5^, is sound if the 
following are satisfied: 

• all the traces of S (i.e, projections of runs to the atomic 
propositions) are preserved: tr&ces(S < f > ) — traces(S) 

• when <j> is holds in a state, then it holds in the 
corresponding interval: for each run r = SoSi . . . of 
Sj, with trace(r) = a = {Io,Vo)(Ii,Vi) . . ., and each 
i G N, Si(\[<f)]) = true implies Vi G h : cr (M) |= <j>. 

We will now prove Lemma 4 separately for each operator. 
Note, that as we assumed S to be sound for a and /?, we 
know that any point on a run where [a] holds satisfies a 
and any point where |[/3| holds satisfies )3, which will be 
used in the proofs without being mentioned explicitly every 
single time. 



Proof: For Op G {A, V}. Clearly, all runs are preserved. 
Also, by the constraint that \[a Op /3| <S=> |[a| Op [/?], it 
immediately follows that for any ieNwe have Vi G Ii : 
*i(|[a Op 0]) =► (*(<■*) haOp/3). ■ 

Proof: For Op = U s . Clearly, all the traces are 
preserved in <S Q u s ^ as setting [a U s 0j to false leads to 
both constraints being satisfied regardless of the trace. 

Now take a <S a u s /3 run T = s o s i s 2 • ■ • with tracc(r) = 
er = (IqVo)(Ii,vi) . . ., i G N and t G It with 
Si(\[a U s /3]|) = true. It remains to show that a^'^ \= a U s 
/?. 

If I t is open, then by Constraint 1 we know that Sj([a|) = 
true. Furthermore, there are three possibilities (multiple of 
which may be applicable): 



1) Si(|[/3|) = true. In this case we can pick any future 
time point on the open interval i and demonstrate that 
j3 holds there and a holds up to that point, meaning 
that (t^*) ^ttU'^. 

2) sj+i(|[/3]|) = true. As Ii is open, we know that 7j + i is 
a singleton. Furthermore, as Sj(|[a|) = true we know 
that a holds up to the single time point constituting 
I i+1 . Hence, pW \= a U s /3. 

3) Si{\[a]) = true and Sl (|[/3]|) = s J+1 (|[/3|) = false. 
By Constraint 1, then s i+ i(|[a U s /3]|) = true. By 
the fairness constraint J^aV^ we know that there is a 
future interval on which either |[/3| holds or [a U s j3]\ 
does not hold. Pick j > i + 1 as small as possible, 



such that s. 



true or Sj(\\a U s 



*]) = false. 

Now Si (\[a U s /?]) = . . . = Sj_i(|[a U s /3]|) = true 
and Si(|[/3J) = . . . = Sj_i(|[/3]|) = false. Note that the 
only way to satisfy Constraints 1 and 2 on intervals 
i , . . . , j — 2 now is by |[a| holding on those intervals, 
meaning that s i+1 (|[a]|) = . . . = Sj. 
Now 



*]) = true. 



If Ij-i is open, then by Constraint 1 we know 
that Sj(\[/3j) = true or s 3 (|[aU s ^|) = true. 
As we picked j so that Sj(|[/3|) = true or 
Sj(\[a U s 0\) = false, we know that s,{\[fi\) = 
true (meaning that j3 holds at interval j) in either 
case. Furthermore, as Ij-\ is open we know that 
Ij is a singleton, implying that \[a}\ (and thus a) 
holds anywhere in between (i,t) and Ij, Thus, 

If 7j_i is a singleton, then by Constraint 2 we 



know that either s 3 
gleton or Sj(|[aU s 



true and Ij is a sin- 

,'(|[a|) = true. Again, 



by the choice of j we know that Sj ( [a U s 



true implies that Sj(|[/3|) = true. Thus, there is 
in either case a time point in interval j at which 
|[/3| (and thus /3) holds such that \[a]\ (and thus 
a) holds anywhere in between (i, t) and that time 
point. Hence, a^ ^aU^. 



If, in contrast, Ii is a singleton, then by Constraint 2 there 
are two possibilities: 

1) ij+i is a singleton and Sj + i(|[/3|) = true. In this case, 
trivially a^ \= a U s fi. 

2) s i+ i(|[a]) = s i+1 (|[aU s /3]|) = true. If additionally 

s »+i ([/?]) = true > then a{ht) H a U S P indiscrim- 
inately of whether 7j + i is a singleton or an open 
interval. If, in contrast, Sj+i(|[/3]|) = false, then we 
can, again, pick j > i + 1 as small as possible, such 
that Sj{\[Pl) = true or Sj(\[a U s /3]|) = false. By 
proceeding precisely in the same way as in the Case 3 
for open 7j, we can again deduce that cr^'*' |= a U s /3. 
Thus, (j(*'*) |= a U s /3 holds in each of the described 
cases. ■ 

Proq/:- For Op = F s < . 
Again, the "preservation of traces" property follows from 
the fact that the constraint is trivially satisfied globally when 
|[F< a]| is set to false globally. 

Now take a <Sp s a run t = SQS1S2 ■ ■ . with trace(r) = 
a = (InVn) (L.v-i) . . ., i E N and t e 7, with 



Sj(|[F< Qt]|) = true. It remains to show that o-( 4 '*) |= 
F s < a7 

By Constraint 3, we now know that 7j and 7 i+1 are 
both singletons. This, in particular, means that 7j + i = [t, t]. 
Furthermore, by Constraint 3 one of the following holds: 



Si+i(\M) 

trivially. 

^+i(|[F< 



true. In this case, cr^'*' |= F< 



case, l i+2 is a 
a]) = true or 



) = true. In this 
singleton as well and again s^ + 2( 
S;+2(|[F< a]|) = true. Applying this argument re- 
peatedly leads to the conclusion, that there needs to 
be an interval on which [a] holds before the next 
open interval. The fact that a is non-zeno, furthermore, 
implies that there is a future open interval. Thus, we can 
conclude that there is a sequence of singleton intervals 
starting at interval i such that \[a]\ (and thus a) holds on 
the last interval in that sequence. Thus, (j(*'*) |= F< a. 

In both cases we were able to demonstrate that a^ 1 '^ \= 

F s < a. M 

Proof: For Op = F< n . The "preservation of traces" 

property follows from the fact that the constraints can easily 



is set to false globally, 
with tracc(r) = 



[F s <„«]| 



be satisfied globally when |[F s <r 

Now take a5p n a run r = S0S1S2 
a = (IoVo) (Ii,vi) . . ., i e N and t e 7j with s 
true. It remains to show that o-( 1 '*) |= F s <n a. 

Choose j e N as large as possible such that < j < i 
and either R c holds at interval j — 1 or j = 0. We now 
know that (i) Sj(c) = and (ii) Sj(lefto) = true iff Ij is 
open. Let j = j + 1 if interval j is a singleton and j — j 
otherwise. If now j < i, then we know that R c does not 
hold on interval i — 1 meaning that Si_i(|[F<„ a|) = true, 
Si(|[o;|) = false and s,_i(|[a|) = false if 7j_i is open. 
Applying the same reasoning repeatedly, we can deduce 



that, firstly, Sj(|[F'^ n a]) = . . . = Si(|[F s <n a]|) = true and, 
secondly, sj(|[a|) = . . . = Sj(|[a|) = false. 

Let i = i + lif/jisa singleton and i = i otherwise. 
Now assume that sj(|[a|) = sj +1 (|[a]|) = ... = false. In 
this case Constraints 4 and 5 imply that sj(|[F s <rl a]|) = 



\\¥l 



true. Thus R r is false on intervals 



fi+lVlL*- <n ' 

i, i + 1, . . .. As we assumed a non-zeno trace, this implies 
that there is no upper bound to the value of c on the intervals 
i, i + 1, . . . implying that T c eventually becomes false on 
all intervals starting from some interval after interval i. As 
now |[F<„ a]\ holds globally and [a] globally does not hold 
starting from interval i, this contradicts Constraint 9. Thus, 
assuming there is no point at which [a] holds after interval 
i leads to a contradiction, implying that there has to be a 
point where [a] holds. Thus, we can pick k > i as small as 
possible such that Sfe(|[a|) = true. 

• Case 1 : i = k. As k > i, this implies that Ii is open. As, 
furthermore, Sfe(|[o;]|) = true and thus S;(|[a|) = true 
we know that a^^ \= F s <n \[a]\. 

• Case 2: i y^ k and k = j + 1. As j < i < k we know 
know that i = j. Now 

- If Ii is a singleton, then cr*- 4 '** 1 |= F< n |[a| trivially 
holds. 

- If Ii is open, then i = i. Thus, by the choice of k 
we know that Sj(|[a]|) = false. As Sj(|[F^„ a]\) = 
true, Constraint 9 implies that T c holds at interval 
i. As j = i, we know that Si(c) = 0. By the 
definition of T c , we now know that the value of 6 
at interval i is less than or equal to n. This together 
with the fact that Ii is open implies we can pick 
a point in Ik that is less than n time units away 
from (i,t) and, ultimately, that er^*) \= F s <n |[a]|. 

. Case 3: i ^ k and k > j + 2. By S;(|[a]|) = . . . = 
Sfe_i(|[a]|) = false and by Constraints 4 and 5, we now 



know that s 



i+V 



mi 



* fc _i([P <n al) 



true. Together with our previous observations we now 
know that Sj(|[a|) = ... = Sfe_i(|[a|) = false and 
»i(P*< n o]) = ... = s fe _i(|[F s <n a]|) = true. This 
implies that R c does not hold on intervals j, . . . , k — 2, 
in turn implying that c and lefto are updated accord- 
ing to Constraint 8 on the transitions from intervals 
j, . . . , k — 2 to the respective following interval. There- 
fore, Sfc-i(c) is the difference between the left bound of 
Ij and the left bound of 7fe_i. Thus, Sk-i (c) +Sk-i {$) 
is the difference between the left bound of Ik and 
the left bound of Ij, As Sfc_i(|[F< rl a]) = true and 
Sfc-idM) = false, Constraint 9 implies that T c holds 
at interval k — 1. Now 

- If Ij is open, then the difference between the left 
bounds of Ik and Ij is less than or equal to n. Then 
we can for every point in Ij pick another point in 
Ik that is less than n time units away from the 
point in Ij. 



- If Ij is a singleton, then the difference between 

the left bounds of Ik and Ij is less than n. Again, 

this means that we can for every point in Ij pick 

another point in Ik that is less than n time units 

away from the point in Ij. 

Finally, as j < i < k, we can also for (i, t) pick a point 

in Ik that is less than n time units away. As Sfe(|[a|) = 

true, this implies that cr(''*) |= F< n a. 

In each case we were able to demonstrate that u^'*) |= 

Proof: For Op = F s <„. The proof for Op = F s <„ 
proceeds precisely as the proof for Op = F s <n , except for 
arguing that there are time points < n time units apart in Ij 
and Ik in Case 3. 

By the definition of T c for < = < and as T c holds at 
interval k — 1 we know that in Case 3 one of the following: 

• The difference between the left bound of Ij is less than 
n time units. In this case, we can trivially pick for any 
point in in Ij a point that is < n time units away in 

h- 

• The difference between the left bound of Ij is n time 
units and Ij open or Ik is a singleton. Again we can 
pick for any point in in Ij a point that is < n time 
units away in Ik. 

■ 

Proof: For Op = U>„. The "preservation of traces" 

property follows from the fact that the constraints can easily 

be satisfied globally when \[a U s >n 0]\ and oblig are set to 

false globally. 

Now take a S a \j« p run r = S0S1S2 • • • with tracc(r) = 
a = (IoVq) (I\ , Vi) . . ., i € N and t e Ii with 
Sj(|[aU> n 01) = true. It remains to show that er^'*) |= 
a U s >n 

By the fact that Sj(|[a U s >n 0j) = true and Constraint 10 
we know that Si(oblig) = true. Let i = i if I, is open and 
i = i + 1 otherwise. Now 

• Case 1: f holds on interval i + 1. Then T c and |[/3| 



1. As sMlaUl 



and Si + \{righto) 



- true, we 
true iff L 



hold on interval i 
know that s,+i(c) 
is open. Now 

- If interval Ij + i is a singleton, then Sj+i(c) + 
s «+i(<5) = 0. Because T c holds on interval i + 1, 
we then know that n = and s i+1 (righto) = 
true, the latter implying that Ii is open. Now 
Constraint 12 implies that Sj(|[a|) = true. Fur- 
thermore, as Ii is open, we can pick a point that 
is more than time units away from (i, t) in Ij+i. 
Thus, cA*) h a U s >n /3. 

- If, in contrast, Ij + i is open then Ii is a singleton 
and Si+i(righto) = false. Thus, the fact that T c is 
satisfied on interval i + 1 implies that Si+\(S) > n. 
Thus we can pick a point that is more than n 
time units away from (i,t) in ij+i. As Ii is a 



singleton and I i+1 
implies that Sj+ii 



an open interval, Constraint 13 
|[a|) = true, meaning that 



Case 2: r does not hold on interval i + 1 and 
Si + i(oblig) = false. Now based on Constraint 11 this 
means that n = 0. Furthermore, the only way to satisfy 
Constraints 12 and 13 is if Ii is open and f and [a] hold 
at interval i. In this case, Si(|[a|) = S» ([/?]) = true, 
implying that er (M) |= a U s >0 

Case 3: f does not hold on interval i + 1 and 
Sj+i(|[a]|) = false. Again, Constraint 11 implies that 
n = 0. Furthermore, Constraints 12 and 13 can only be 
satisfied if Ii is open and both a and f hold on interval 
i. Clearly, cA*) f= a U s >0 

Case 4: f does not hold on interval i + 1, Si+i(oblig) = 
Sj+i(|[a]|) = true and f holds on interval i + 2 or 
any later interval. Pick j as small as possible such that 
j > i + 2 and f holds at interval j. Let j = j if 
Ij is open and j = j — 1 if Ij is a singleton. Note 
that Constraints 12 and 13 correspond to Constraints 1 
and 2 in the U s -encoding, except that \[a U> n 0\ has 
been replaced by oblig and \[0]\ has been replaced by f. 
This correspondence allows us to conclude that a\J s f 
is satisfied everywhere on interval i + 1. By the fact 
that aU'f holds on interval i + 1 and the choice of 
j we now know that sj+2(|[ck]|) = ... = sj(|[a|) = 
true. Furthermore, we assumed s i+1 (|[a|) = true. 
Also, if Ii is open, the fact that Si(oblig) = true and 
Constraint 12 imply that Sj(|[a]|) = true. Thus, we 



know that sidfal 



Sw(|[a|) = true. 



Now choose k as large as possible such that i < k < j 
and Sfc(|[a U >n f3]\) — true. Now the values of c and 
righto are set according to Constraint 14 on interval 
k + 1 and and according to Constraint 15 on intervals 
k + 2, . . . j. This implies that Sj(c) is the difference 
between the left bound of Ij and the right bound of Ik- 
Thus, Sj(c) + Sj(S) is the difference between the right 
bounds of Ij and Ik- Furthermore, Sj(righto) = true 
iff Ik is open. As f holds on interval j, we know by 
the definition of f that T c holds on interval j. Thus, 
the difference between the right bounds of Ij and I^is 
greater or equal to n and greater than n if Ik is a 
singleton. This implies, that for every point in Ik we 
can pick a point in Ij that is more than n time units 
away. As i < k, we can also pick a point in Ij that is 
more than n time units away from t. 
Furthermore, by f holding on interval j we know 
that 8-, 



= true. Together with the fact that 
s i([ a ]|) = •■• = Sj(|[a|) = true, this implies that 
*(*■*) h a U>„ 

Case 5: f does not hold on intervals i + l,i + 2, . . . 
and Si + i(oblig) = s i+ i(|[a]|) = true. Now by Con- 
straints 12 and 13 we know that S7(|[al|) 



i+l\ 



. . . = true and sj(oblig) = sj +1 (oblig) = . . . = true, 
i.e. \[a]\ and 06% hold globally starting from interval 
i. Thus, -^oblig holds only on finitely many intervals. 
By fairness constraint J a jj> p, this implies that [/?] 
holds on infinitely many intervals. As a is non-zeno, 
this implies that we can pick an interval that contains 
a point more than n time units away from (i, t) and on 
which \[0] holds. As \[a]\ holds globally starting from 
interval i, this implies that a^ 1 ^ |= a \J s >n 
In each case, we were able to demonstrate that c^*'*) |= 

a lf >n m 

Proof: For Op = U>„. As a first observation, we note 
that in case of Op = U> n we know that n > 0, as we use 
the U s encoding to encode a U> 0. 

We obtain the Op = U>„ proof from the Op = U>„ 
proof by the following modifications: 

• In Case 1, assuming 7j + i to be a singleton contradicts 
our observation that n > 0, meaning that Jj + i is open, 
Ii is a singleton. Now the fact that T c holds on interval 
i + 1 implies that Si+i(6) > n. This allows us to to 
pick a point in 7, that is > n time units away from 
(i,t). Analogously to the Op = U>„ proof this leads 
to cr( l <*) \= a U>„ 

• Cases 2 and 3 contradict n > 0. 

• In Case 4, the fact that T c holds on interval j implies 
that either (i) the difference between the right bounds 
of Ij and Ik is greater than n or (ii) the right bounds of 
Ij and Ik equals n and Ik is open or Ij is a singleton. 
Thus, we can for every point in Ik pick a point in Ij 
that is > n time units away. 

• Case 5 does not need modification. 

■ 

Proof: For Op = R s . The "preservation of traces" 

property follows from the fact that the constraints can easily 

be satisfied globally when \[a R s 0\ and oblig are set to 

false globally. 

Now take a S a R«p run t = so s i s 2 • • • with tracc(r) = 
a = (I v Q )(I 1 ,v 1 ) . . ., i £ N and t £ Ii with 
Si (Ja R s 0\) = true. It remains to show that o-( 4 '*) ^aR ! 
/3. Let i = i if Ii is open and i = i + lif/jisa singleton. 

As a first case assume sj(|[a|) = sj +1 (|[a|) = ... = 
false. Then by Constraints 16, 17 and 18 we know that 
si(oblig) = s~ i+1 (oblig) = . . . — true. Now Constraint 19 
implies that s^(|[/3]|) = s^ +1 (|[/3|) = . . . = true. Clearly, in 
this case a {i '^ \= a R s 

As a second case assume \[a] holds at interval i or any 
later interval. Then let j > i be as small as possible such 
that Sj(|[a|) = true. Then by Constraints 16, 17 and 18 , 



If L is a singleton, then by Constraint 19 we have that 



we know that sj( oblig) 



Sj (oblig) = true. Now 



If Ij is open, then by Constraint 19 we have that 



sj(\[0]\) = ... = Sj-i(\[f3j) = true. This, in turn, 
implies that for any time point after (i, t) at which \0\ 
does not hold there is an earlier time point in interval 
j. Hence, a^ ^aR* 



run r 



S0S1S2 ■ ■ ■ with trace(r) = 
i £ N and t £ Ii with 
true. It remains to show that cr^'^ \= 



s l(lft]\) = ■ ■ ■ = Sj(\[0j) = true. Thus, the single time 
point in interval j, at which [a] holds, lies in between 
time point (i, t) and any potential future point at which 
\[0]\ does not hold. Again, cr^ \= a R s 

m 

Proof: For Op = G< . The "preservation of traces" 
property follows from the fact that the constraints can easily 
be satisfied globally when |[G< all is set to false globally. 

Now take a Sc,« c 
a = (I v )(h,vi 
Si ( j [G s < a] |) 
G< a. 

Recall, that by the semantics of G<„, a point on a trace 
satisfies G< a iff all future points that are zero time units 
away from that point satisfy a. Note that a future time point 
can be zero time units away only if both the current and the 
next interval are singletons. 

By Constraint 20, there are two possibilities: 

• Ii or I i+1 is open. In this case, there are no future time 
points that are zero time units away for any point on 
interval i. Hence, cr( 2 '*) |= G< a trivially. 

• Ii and Jj + i are both singletons and 

true. By 
true, we 

7j+2 is open or 
true. Repeatedly 



Si+l 


(HI) 


the 


fact 


can 


again 


Si+1 


>([«]) 



that 



Si+l 



(|[G<o a 
(|[G< a]f) 



deduce that either 
= s»+2(|[G< a 
applying this argument leads to the conclusion that \[a}\ 
has to hold on all future singletons up to the next open 
interval, i.e., all future intervals containing points zero 
time units away from (i,t). Thus, o-( 4 '*) |= G< a. 

In both cases, we were able to show that o-( 4 '*) |= G< a. 

m 

Proof: For Op = G s <n . The "preservation of traces" 
property follows from the fact that the constraints can easily 
be satisfied globally when |[G<„ a] and oblig are set to false 
globally. 

Now take a <Sq s a run r = S0S1S2 • • • with tracc(r) = 
o- = (I Q v )(Ii,Vi) ...,i£Nandt£li with Si(|[G s <n a]\) = 
true. It remains to show that o-( 4 '*) |= G'^ n a. 

Take an arbitrary j > i and ti £ Ij such that t<i — t < n 
(if such an j exists). Let k be as large as possible such that 
i < k < j and Sfe(|[G^ n a]|) = true. By Constraint 22, 
we know that Sk+i(c) = 0. Furthermore, by Constraints 22 
and 23, we know that Sj(c) is the difference between the 
right bound of Ik and the left bound Ij. As k > i and 
t2—t<n,we know that this difference must be less than n 
and, consequently, T c holds on interval j. By Constraint 21, 
this implies that Sj(|[a|) = true. As we picked j to be an 
arbitrary interval containing a point less than n time units 
away from (i,t), we can conclude that \[a]\ holds at any 
point on intervals i + l,i + 2, . . . that is less than n time 
units after (i,t) 



Additionally, Constraint 21 ensures that |[a| also holds on 
interval i, if that interval is open. Thus, it is guaranteed that 
|[a| holds at all future points less than n time units away 
and (jW f= G<„ a. ■ 

Proof: For Op = G<„. We modify the proof for G<„ 
by picking j > i, t 2 € Ij with t 2 — t < n. Then we know 
that the difference between the left bound of Ij and the right 
bound of Ii is less than or equal to n and can be equal to 
n only if both intervals are singletons. Now 

• if Sj(c) < n then T c is satisfied on interval j and we 
proceed as before. 

• if Sj(c) = n then we know that Sj(c) is precisely the 
difference between the left bound of Ij and the right 
bound of Ii and 7j and Ij are both singletons. Now, 
fc = i or there is a sequence of intervals UU+i . . . Ik 
that are all singletons. In either case, Ik is a singleton 
and Sj(righto) = false. Thus, T c is satisfied also in 
this case and we continue as before. 

■ 

Proof: For Op = R>„. The "preservation of traces" 

property follows from the fact that the constraints can easily 

be satisfied globally when \[a R>„ 0\ and oblig are set to 

false globally. 

Now take a S a s.« p run r = sqSis 2 • • • with trace(r) = 
c = (IoVo){Ii,Vi) ..., i e N and t e Ii with 
Sj(|[aR> n 01) = true. It remains to show that cr^'*' |= 
a R> n As usual, let i = i if interval % is open and 
i = i + 1 otherwise. 

As a first case assume that for all (j, £ 2 ) € T(<r) with 
i 2 — i > n we have that Sj(|[/3|) = true. In this case, we 
trivially have o-(*>*) |= a R s >n 

As a second case, assume there is (j,t 2 ) € T(er) with 



t 2 — t > n and s, 



false. 



Case 2. a: i = j: As t 2 — t > n, this implies that S > n 
at interval i. Then, Constraint 28 implies that Sj(|[a|) = 
true. As interval % also has to be open to allow 5 to be 
non-zero, we now know that there is point in between 
(i,t) and (j, t 2 ) where [a] holds. 
Case 2.b: z < j and Sj(oblig) = false. Analogously to 
the proof of the lemma for the untimed R s encoding, 
Sj (oblig) = false implies that [a] holds at some point 
in between (i,t) and (j, t 2 ). 

Case 2.c: i < j and Sj (oblig) = Sj(\[a]\) = true and 
Ij is open. Then, as Ij is open and Sj(|[a]|) = true, 
we know that [a] holds at some point in between (i, t) 
and (j,t 2 ). 

Case 2.d: i < j and Sj(oblig) = true and either Ij 
is a singleton or Sj(|[a|) = false. Then, according to 
Constraints 27 we know T c does not hold on interval j. 
Now pick k < j as large as possible such that Sk(c) = 
and one of the following: 

- D c holds at interval fc — 1 

- R r holds at interval fc — 1, or 



- fc = 

Now Constraint 31 implies that Sj(c) is the difference 
between the left bound of Ij and the left bound of Ik- 
Consequently, Sj(c) + Sj(5) is the difference between 
the right bound of Ij and the left bound of Ik- Now 
by the fact that T c does not hold we know that the 
difference between the right bound of Ij and the left 
bound of Ik is less than or equal to n time units. 
Furthermore, i 2 — t > n implies that the difference 
between the right bound of Ij and the left bound of 
Ii is greater than n. This, in turn, implies that k > i 
and at least one of the intervals Jj,/j + i, . . . , Ik-i is 
open. This implies that k > i > Now, there are three 
possibilities: 

- R c holds at interval fc — 1 and Sfe_i(|[a|) = true. 
Then there is a point in between (i,t) and (j, i 2 ) 
at which a holds. 

- R c holds at interval fc— 1 and Sfc_i([a|) = false. 
By the definition of R c now Sk-i(oblig) = false. 
analogously to the untimed R s encoding and Case 
2.b, this implies that \[a]\ holds on an interval in 
the range i, . . . , fc — 1, 

- D c holds at interval fc — 1. This implies that 
s fe _i(|[a]|) =true. 

In each of the mentioned cases, we were able to show \[a}\ 
holds at some point in between (i,t) and (j,t 2 ), allowing 
us to conclude that o-(*>*) |= a R>„ ■ 

Proof: For Op = R>„. To adapt the R>„ proof for R>„ 
modify the second case as follows. We pick a (j, i 2 ) e T(a) 
with Sj(|[/3|) = false and t 2 — t > n. Cases 2. a to 2.c do 
not require substantial changes. In Case 2.d, we pick fc as 
before. 

We now observe that t 2 — t > n implies that the difference 
between the right bound of Ij and the left bound of Ii is 
greater than or equal to n. Furthermore, the difference can 
only be equal if Ii and Ij are both singletons. 

The fact that T c does not hold at interval j implies that 
Sj(c) + Sj(S) < n. Furthermore, if Sj(c) + Sj(S) = n then 
we know that Ij is open or Sj(lefto) = true. 

Now 

• If the difference between the right bound of Ij and the 
left bound of Jj is greater than n, we again can conclude 
that fc > i and proceed as before. 

• Likewise, if Sj (c) + Sj (6) < n we conclude that fc > i 
and proceed as before. 

• If the difference between the right bound of Ij and 
the left bound of Ii equals n and Sj (c) + Sj (S) = n, 
then our previous observations tell us that (i) Ii and 
Ij are singletons (ii) Sj(lefto) = true. Furthermore, 
as n > 0, Sj(c) + Sj(5) — n, Sk(c) = and Ij is a 
singleton we know that fc < j. As the value of lefto on 
intervals fc + 1 , . . . , j set according to Constraint 3 1 , 
we know that Sk(lefto) = true. This eliminates the 



possibilities that k = or that D c holds on interval 
k — 1, leaving only the possibility that R c holds on 
interval k — 1. Then by Constraint 30, Ik is open. 
Together with our assumptions about the left-bound- 
to-right-bound differences and the fact that Ii is a 
singleton, this implies that k > i. Finally, as Ii is a 
singleton and Si(|[o: R>„ /3]|) = true, R c does not 
hold on interval i, meaning that k > i + 1 — i. Now 
we can continue as previously. 

■ 

F. Completeness proofs 

Lemma 5: The transition system S p is a complete encod- 
ing for p, S^ p is a complete encoding for ->p. If a transition 
system S over AP is a complete encoding of a and 0, then 
the transition system Sop a over AP is a complete encoding 
of Op a for each Op G {F s < , F s <n , F s <„, G s < , G s <n , G s <„}, 
and S a opi3 is a complete encoding of a Op f3 for each 

Opg{A,V,U',U 8 > n ,U s >n ,R 8 ) R'> n) R , > n }. 

Recall, that an encoding S^ is complete if for every </>- 
fine trace a — (I , vo)(h,vi)(l2, v 2 ) ■ ■ ■ in traccs(<S), there 
is a run r = SQS1S2 ... in 5^ such that trace(r) = a and 
for all points (i,t) in a it holds that cr( 1 '*) |= implies 
^(IM) — true. Thus, we can prove completeness by 
assuming a ^-fine trace a € traces(S), extending it to a 
run r by giving values for the auxiliary variables used in 
the encoding (setting |[0| to true exactly on those intervals 
where <j> holds) and then arguing that all constraints of the 
encoding are satisfied. Lemma 5 is proven by structural 
induction. That is, it will assumed that the lemma holds 
for the subformulas a and Like Lemma 4, we will prove 
Lemma 5 separately for each operator. 

As the lemma assume ^-fineness, (f> either holds at all 
points in a given interval in a or <j> does not hold at any 
point inside the interval. We use the notation o-Ci.-) |= <j> to 
denote that </> is satisfied by all points belonging to interval 
j and <t">'' y= <f> to denote that no point inside the interval 
satisfies </>. 

Proof: For Op = U s . Auxiliary variable rules: Let 
i e N. As always, we set Si (|[a U' s 0j) / Si(\[a]\) I Si{{0\) 
to true iff <?&■) f= a U s /3 / cr (l ^ \= a I a^ |= 
respectively. 

The transition constraints are satisfied: Let i e N. Now 

• If Si ( \[a U s 0\ ) = false then both Constraints 1 and 2 
trivially hold at interval i. 

• If Si(\[a U s 0j) — true and Ii is open, then 
Constraint 2 is trivially satisfied. Furthermore, as 
Si(\[a U s 0j) = true we know that a^ \= a U s 0. 
Pick any t\ € Ii. By the semantics of U s we now know 
that there is a future time point (j, t^) € T + (a, (i,t)) 
such that Sj(|[/3|) = true and |[a]| holds anywhere in 
between (i, ti) and (j, £2). Note that due to the fact that 
Ii is open, there is a guarantee that interval i contains 
time points lying in between (i, t\) and (j, £ 2 ), implying 



that Sj(|[a|) = true. Now if j — i or j — i + 1, then 
Constraint 1 is satisfied. Furthermore, if j > i + 1, then 
also Sj+i(|[a|) = true and o-( 4 + 1 '') |= a U s Thus, 
Si+i(|[aU s 0j) = true, implying that Constraint 2 is 
satisfied in this case as well. 

If Si(\[a U s 0]\) = true and 7j is a singleton, then 
Constraint 1 is trivially satisfied. Let {t\} = Ii- Again, 
we pick a time point (j, £2) € T+C ", (i, £2)) such that 
Sj(|[/3|) = true and |[a| holds anywhere in between 
(i, ti) and (J, t). Now if j = i + 1 and Jj is a singleton, 
then Constraint 2 is satisfied. If 7 = i + 1 and L 



is open, then Sj(|[a|) = Sj 



= true meaning 



that o-^V) |= a U s /3. Then Sj(|[a U s /3]|) = true 
and Constraint 2 is satisfied. If j > i + 1 then we 
observe that s,+i([a|) = true and er( l+1 '') |= a U s 0, 
meaning that Sj+i(|[a U s 0j) = true and Constraint 2 
is satisfied in this case as well. 

The fairness condition is satisfied: It is easy to see 
that now the fairness constraint J-" a u s /3 holds as well. We 
set \[a V s 0\\ to true precisely on those intervals on which 
a U s P holds, implying that there is a future point at which f3 
holds. Thus, if [a U s 0]\ holds on all intervals starting from 
some point, then a V s f3 holds globally starting from that 
point. Hence, there is always a future interval at which j5 
holds, meaning that j3 (and thus |[/3]|) holds infinitely often. 

■ 
Proof: For Op = F< . Auxiliary variable rules: Let 
i € N. As always, we set s»(|[F< a ]\) I *» ([<*]) t0 true iff 
CT (v) | = p^ o a / fj{%,-) j— a ^ respectively. 

The transition constraints are satisfied: Let i £ N. If 

Sj(|[F< a]|) = false, then Constraint 3 is trivially satisfied. 
If, in contrast, s,(|[F< a]|) = true, then we know that 
(7( 2 .) |= F< a. Thus, there is a j > i such that Sj([a|) = 
true and for every point in 7j + i there is a point in Ij that 
is at most time units away. The latter implies that intervals 
Ii, . . . ,Ij are all singletons. Thus, in particular, Ii and Ij+i 
are singletons. Furthermore, if j = i + 1, then s i+1 (|[o;|) = 
true, implying that Constraint 3 is satisfied at interval i. 
If, in contrast j > i + 1 then cj( 1+1 ^ \= F< a as well, 
implying that Sj+i(|[F< ck] I ) = true and, ultimately, that 
Constraint 3 is satisfied at interval i also in this case. ■ 
Proof: For Op = F s <rr Auxiliary variable rules: Let 
i £ N. As always, we set Sj([F^ n a|) / Sj(|[a]|) to true iff 
o-(v) | = F^ n a I cr( v ) |= a, respectively. Furthermore, we 
set So(c) = and so(lefto) = false. For i > we set Si(c) 
and Si(lefto) according to Constraints 7 and 8 and s,_i. 

The initial constraint is satisfied: Initial con- 
straint 2p a is trivially satisfied as Sq(c) — and 
so(lefto) = false. 

The transition constraints are satisfied: Let ieN. Let 
i = % if Ii is open and i — i + 1 if Ii is a singleton. Now we 
will show that interval i satisfies Constraints 4 and 5 using 
a case distinction. 
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Constraints 4 and 5 are trivially satisfied. 
. If s t {W <n <4) = true and s i+ i(PV 

then we know that cr^^ \= F s <n a and cr^ +1 '^ ^ 
F s <n a. Now 

- If Ii is open then Constraint 5 is trivially satisfied. 
Furthermore, by semantics of F< n we know that 
o-(v) |= F s <n a and a {l+l ^ ^ F s <n a implies that 
Sj(|[a|) = true or s,(|a]|) = true. In either case, 
Constraint 4 is satisfied. 

- If Ii is a singleton then Constraint 4 is trivially 
satisfied. Furthermore, by semantics of F<„ we 
know that a^ \= F s <n a and a {l+l ^ ^ F s <n a 
implies that (i) I i+1 is a singleton as well and (ii) 
Si+i(|[a|) = true. Thus, Constraint 5 is satisfied 
as well. 

It remains to be shown that Constraint 9 holds on interval 
i, which will be done by contradiction. Assume, Constraint 9 
does not hold on interval i. Then, T c does not hold on 
interval i, Si(|[F<„a|) = true and Ii is a singleton or 

[a]) = false. As Sj(|[F< n a|) = true, we know that 
F s <rl a. Pick j < i as large as possible such 
that R c holds at interval j — 1 is such j exists and set 
j = otherwise. Now we know that Sj(c) = and 
Sj(lefto) = true iff Ij is open. 

• If j — i, the we know that the value of Si (c) = 0. Now 

- If Ii is a singleton, then the value of S at interval i 
is as well, which implies that T c contrary to our 
assumption satisfied on interval i. 

- If Ii is open, then our assumption that Constraint 9 
does not hold implies that Sj(|[a|) = false. As 
,j( l >-) |= F k <n a, we now know that 8 at interval 
i can be at most n, implying that T c is satisfied 
and contradicting our assumption that Constraint 9 
does not hold. 

• If j < i, then we know by the fact that R c does not hold 
on intervals j, . . . , i — 1 that the value of c at intervals 
j + 1, ... ,i has been set according to Constraint 8. 
Hence, St (c) is the difference between the left bound of 
Ii and the left bound of Ij. Furthermore, Si(c) + Si(6) 
is the difference between the right bound of Ii and 
the left bound of Ij and Si(lefto) = true iff Ij is 
open. By the fact that R c does not hold on intervals 

a]\) = true we 
a]) = true. 



J, 



, % - 1 and the fact that s,-(||F*. 
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know that Sj(\[F 

Let j = j if Ij is open and j — j + 1 if Ij is a 

W<n<4) = true we 
Sj(|[aJ) = false. As 
true, we know that a^^ \= F< n a. 
Thus, for each point in Ij there is a future point at 
which a holds and that is less than n time units away. 
As sj(|[a]) = . . . = Sj(|[a]|) = false, this implies that 



singleton. As R c does not hold on intervals j, 

and Sj (r <n a]|) 
know that si(\\a 

^(|[F<„"I)' 



every point in Ij is less than n time units away from 
a time point in i,+i. Thus, the difference between the 
right bound of Ii and the left bound of Ij is less than 
n time units if Ij is a singleton and less than or equal 
to n time units if Ij is open. Recalling that the value 
of c + S at interval i is precisely said difference and 
Si(lefto) = true if Ij is open, we conclude that T c is 
satisfied at interval i, contradicting our assumption. 

In each case, we were able to show that the assumption that 

Constraint 9 does not hold leads to a contradiction. ■ 

Proof: For Op = F< n . The only difference between 

the proof for F<„ and the proof for F^„ is in arguing that 

Constraint 9 is satisfied. 

• The case where i = j and Ii is a singleton does not 
need modification. 

• In the case where i = j and Ii is open, we observe that 
er(v) |_ F< n a and Si(|[a|) = false. Thus, we know 
that the value of 6 at interval i is at most n. Further- 
more, as Ii is open, we know that Si(lefto) = true, 
contradicting the assumption that T c is not satisfied. 

• In the case where j < i, we observe that sj(|[a]|) = 
. . . = s t (\[a}\) = false and a^^ \= F s <„ a. Thus, the 
difference between the left bound of Ij and the right 
bound of Ii is less than or equal to n and less than n 
if Ij is a singleton and 7j + i is open, again leading to 
a contradiction based on the fact that T c is satisfied. 



Proof: For Op = U s >rr Auxiliary variable rules: 

Let i e N. As always, we set Si(\[a U>„ /3]|) / s»(|[aj) 
/ Si([/3]|) to true iff cAO \= a U>„ /3 I a^ h a I 
cr(*'') |= j3, respectively. We set s (c) — and s (righto) — 
false. For i > we set Si(c) and Si(righto) according 
to Constraints 14 and 15 and Sj_i. Furthermore, we set 
Si(oblig) = true iff at least one of the following cases 
holds: 

1) (,«•■) h a U s >n /3 

2) n > 0, i > and a^ 1 ^ \= a U>„ (3, 

3) i > 0, ij_i is open, Si-i(oblig) = true and f neither 
holds on interval i — 1 nor on interval i. 

4) % > 0, 7,_i is a singleton, Si-i(oblig) = true and f 
does not hold on interval i or /^ is open. 

The transition constraints are satisfied: Let i e N. 
Note, that the rules for setting the value of oblig ensure 
that Constraint 10 is satisfied on interval i. 

Assume (t(*> - ) |= a U s >n /? and n > 0. Take t £ Ii such 
that the difference between the right bound of Jj and t is 
less than n. Now there is a future time point more than n 
time units from (i,t) at which /3 holds and up to which a 
holds. The fact that this point is more than n time units 
away implies that either Jj + i is open or the time point is on 
interval i + 2 or a later interval. In either case Sj+i(|[a]|) = 
true. Together with the rules for setting the value of oblig, 
this implies that Constraint 11 is satisfied. 



If, in contrast, er^'') y= a Ul n f3 then Constraint 11 is 
trivially satisfied and if n = 0, Constraint 1 1 is not used at 
all. 

Next, we show that Constraints 12 and 13 are satisfied on 
interval i. 

• Assume Si(oblig) = false. In this case, Constraints 12 
and 13 are trivially satisfied. 
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true. Now if 



Assume Si(oblig) = 
Ii is open, then S,([a|) = true. Furthermore, by Con- 
straint 14 we know Si+i(c) = and Si + i(righto) = 
true iff Ii is open. Now 

- If Si+i(oblig) = Sj+i(|[a|) = true, then Con- 
straints 12 and 13 are trivially satisfied. 

- If s i+ i(|[aj) = false, then the fact that er (v) |= 
a U s >n f3 implies that n = and one of the 
following: 

* s j(I[/3]|) = true and Ii is open. In this case, 
Si (S) > 0, meaning that T c and f are satisfied 
on interval i and ultimately that Constraints 12 
and 13 are satisfied. 

* s i+i(|[/3]|) = true, Ii is open and 7 i+1 is a 
singleton. In this case, s i+1 (righto) = true, 
implying that T c and r are satisfied on interval 
i + 1 and ultimately that Constraints 12 and 13 
are satisfied. 

- If Si+i(oblig) — false then by the fact that 
Si(\[a U>„ 0\\) = true and Rule 2 for setting the 
value of oblig we know that n = 0. If we now 
assume that ij is a singleton, then by Rule 4 for 
setting the value of oblig we know that f holds 
on interval i + 1 and 7j + i is a singleton. The 
latter, however, implies that s i+ i(c) + s i+ i(S) = 
and, thus, that f does not hold on interval % + 1. 
Thus, assuming Ii to be a singleton leads to a 
contradiction and we know that Ii is open. 

Now 7j + i is a singleton and we know that 
Si+i(c) + Si + i(S) = and f is not satisfied on 
interval i + 1. Now Rule 3 for setting the value 
of oblig and the fact that Si + i(oblig) = false 
imply that f holds on interval i. As Ii is open 
and <j( % >''> \= a \J s >n now Sj([a|) = true and 
Constraints 12 and 13 are satisfied. 
Assume Si(oblig) = true and Si(\[a U>„ 0j) = 
false. Choose j < i as large as possible such that 
Sj(\[a U>„ 0j) — true. We know that a corresponding 
interval exists based on the fact that Si(oblig) = true. 
Let j = j if Ij is open and j = j + 1 otherwise. 
Now by the choice of j we know Sj(oblig) — . . . = 
Si(oblig) = true. 

- Assume n > 0. Based on the rules for setting the 
value of oblig, we now know that f does not hold 
on intervals j + 2, . . . , i and not on j + 1 either if 
Ij+i is open. Furthermore, if Ij + i is a singleton as 



Sj + i(c) = we know that Sj + i(c) + Sj + i(6) = 
meaning T c (and, thus, f) does not hold on interval 
j+l. Thus, f does not hold on intervals j+1, . . . , i. 

- Assume n = 0. Based on the rules for setting the 
value for oblig, we now immediately know that f 
does not hold on intervals j + 1, . . . , i and not on 
interval j either if Ij is open. 

Now as a^'' |= a U> n /?, we can pick k > j such 
that Sfc(|[/3|) = true, for every point in Ij there is a 
point in Ik that is more than n time units away and 
s j([ a ]|) = • • • = Sfc(|[o;|) = true with k = k if Ij is 
open and k = k — 1 if Ik is a singleton. We observe 
that k = j is possible only if n = and Ij is open. 
In this case, however, T c and \[0]\ would both hold on 
interval j, meaning that f holds and contradicting our 
previous observation that f does not hold on interval j 
if Ij is open and n = 0. Thus, k > j. 
Take an arbitrary m € N with j < m < i. Now we note 
that s m (righto) = true iff 7j is open. Furthermore, 
s m (c) is the difference between the left bound of I m 
interval and the right bound of Ij. Correspondingly, 
s m (c) + s m (S) is the difference between the right 
bounds of I m and Ij. Now as f does not hold on 
interval m, we know that either s m (|[/3|) = false or 
T c does not hold. By the definition of T c , the latter 
implies that the difference between the right bounds of 
I m and Ij is less than or equal to n and less than n 
if Ij is open, meaning that there is a point in Ij for 
which there is no point in I m that is > n time units 
away. This allows us to conclude that k ^ m. As we 
picked an j < m < i this means that k > i and, thus, 
Sj (|[a|) = true. 

- Now if f holds on interval i + 1 and Ii is open, 
then Constraints 12 and 13 are satisfied on interval 
i. 

- If f holds on interval i + 1, Ii is a singleton and 
Ii+i is a singleton, then Constraints 12 and 13 are 
satisfied on interval i. 

- If f holds on interval % + 1, Ii is a singleton 
and 7j + i is open, according to Rule 4 for setting 
the value of oblig we have Si+i(oblig) = true. 
Furthermore, as k > i and ij + i is open we have 
k > i + 1, implying that Sj+i(|[a]|) = true. Thus, 
Constraints 12 and 13 are satisfied on interval i. 

- If f does not hold on interval i + 1, then we can 
use the same argument used to show that k > i 
to show that, in fact, k > % + 1, implying that 
Si+i(|[a|) = true. Furthermore, by the Rules 3 
and 4 for setting the value of oblig and the fact 
that f does not hold on intervals i and i + 1, 
we also know that Si+i(oblig) = true. Hence, 
Constraints 12 and 13 are satisfied on interval i. 



The fairness condition is satisfied: It remains to be 
shown that the fairness constraint J- a w is satisfied by 
our choice of values, which will be done by contradic- 
tion. Assume the fairness constraint is not satisfied. Then 
there is an i e N such that Si(oblig) = Si+i(oblig) = 
... = true and s t (\[0}\) = s t+1 (\[0]\) = ... = false. 
As Si(|[/3|) = Si+i([/3|) = ... = false, we know that 
intervals i,i + 1, . . . do not satisfy a U>„ and, thus, 
Si (\[a U s >„ 0\) = s i+1 (\[a U s >n 0j) = . . . = false. By the 
rules for setting the value of oblig, we set oblig to true only 
if \[a Ul n 0]\ hold on the current or the previous interval 
or oblig holds on the previous interval. Thus, the fact that 
Si(oblig) = true implies that there is an interval before 
interval % on which a U>„ holds. 

Pick j as large as possible such that j < i and 
Si(\[a V s >n 0]\) = true. Let j = j if Ij is open and 
j = j + 1 if Ij is a singleton. As a^''' \= a U>„ 0, 
there is a k > j such that Sfc ([/?]) = true, for every 
point in Ij there is a point in Ik that is more than n 
time units away and Sj([a|) = ... = sj(|[a]|) = true 
with k = k if Ij is open and k = k — 1 if Ik is a 
singleton. As Si(|[/3|) = Sj+i(|[/3|) = ... = false, we 
know that k < i. Recall, that we picked j to be the last 
interval at which \[a Ui n 0]\ holds. Hence, we know that 
oblig on any later interval can only be set to true based 
on Rules 3 and 4. As both of these rules require oblig 
to hold on the respective previous interval we know that 



Sj (oblig) 



Sj+i 



(oblig) 



true. 



Assume that k = j. By the semantics of U>„, this im- 
plies that n — and Ii is open. Then T c is satisfied on 
interval j. As, additionally, Sfc(|[/3|) = true and, thus, 
f holds, the rules for setting the value of oblig imply 
that Si + i(oblig) = false, contradicting our observation 
that Sj (oblig) — Sj+i(oblig) = . . . = true. 
Assume that k = j + 1 and n > 0. Then Ij+i is 
open and Sj+i(6) > n. Thus, both T c and \[0]\ hold on 
interval j + 1 = k, implying that f holds. As Ij +1 is 
open, our rules for setting the value for oblig now imply 
that Sj + 2(oblig) = false, contradicting our observation 



that Sj (oblig) 



Sj+l 



(oblig) 



true. 



Assume that k > j + 1 or k = j + 1 and n — 0. Then 
oblig was set to true on interval k by Rule 3 or 4 
implying that f does not hold on interval k or 1^ is 
open. As oblig is set to true on interval fc+1 by Rule 3 
or 4 as well, Ik being open again implies that f does not 
hold on interval k. Thus, f does not hold on interval k 
and T c does not hold on interval k, due to the fact that 
we picked k so that Sfc(|[/?|) = true. By the fact that 
Ij is the last interval on which \[a U>„ 0]\ holds, we 
know that c and righto are set based on Constraint 14 
on interval j + 1 and based on Constraint 15 on all later 
intervals. This implies that at interval k, the value of 
c + S is the difference between the right bounds of Ik 



and Ij. Furthermore, Sk(righto) = true iff Ij is open. 
Now 

- If Ij is open, then by the fact that T c does not hold 
on interval k we know that the difference between 
the right bounds of Ij and Ik is less than n. This, 
however, contradicts the fact that k was chosen 
such that for every point in Ij there is a point in 
Ik that is more than n time units away. 

- If Ij is a singleton, then the difference between 
the right bounds of Ij and Ik is less than or equal 
to n. Again, this contradicts the fact that for every 
point in Ij there is a point in Ik that is more than 
n time units away. 

Thus, assuming that the fairness constraint .Fair p is not 
satisfied leads to a contradiction. ■ 

Proof: For Op = U>„. To obtain the proof for U>„, 
we make the following changes to the proof for U>„. 

• All cases in which n = are now contradictions, as 
we encode U> by the U s encoding. 

• No substantial changes are needed to show that Con- 
straints 10 and 11 are satisfied. 

• When showing that Constraints 12 and 13 are satisfied: 

- In the case where Si(oblig) — sMla U> n 0~\\) = 
true the only valid option is that Si+\(oblig) = 
Si+i(\[a}\) = true, as all other cases required n — 
0. 

- In the case where Si(oblig) = true and 
Si(|[aU>„ 0\\) = false, we pick k so that for 
every point in j there is a point at least n time 
units away in Ik (and the properties regarding [a] 
and \[0}\ hold). 

After picking to, we note that if T c does not hold 
on interval m then by the definition of T c the 
difference between the right bounds of I m and Ij 
is less than or equal to n and less than n if Ij is 
open or I m is a singleton. Then, there is a point 
in Ij for which there is no point in I m that is > n 
time units away. Again, we conclude that k ^ to. 
We proceed as before. 

• When showing that the fairness constraint is satisfied 
we pick k so that for every point in j there is a point 
at least n time units away in Ik (and the properties 
regarding \[a]\ and \[0]\ hold). 

Then, the final case distinction is replaced by 

- If Ij is open or Ik a singleton, then by the fact that 
T c does not hold on interval k we know that the 
difference between the right bounds of Ij and Ik 
is less than n. This, however, contradicts the fact 
that k was chosen such that for every point in Ij 
there is a point in Ik that is at least n time units 
away. 

- If Ij is a singleton and Ik an open interval, then 
the difference between the right bounds of L and 



Jfc is less than or equal to n. Again, this contradicts 
the fact that for every point in Ij there is a point 
in Ik that is at least n time units away. 

■ 
Proof: For Op = R s . Auxiliary variable rules: Let 
i e N. As always, we set Si (|[a R s /3]|) / Si(|[a]|) / Si ([/?]) 
to true iff cr^'-) \= a R s I cr (v) \= a I a (l ^ \= [3, 
respectively. We set Si(oblig) = true iff at least one of the 
following holds: 

1) Ij is open and Sj(|[a R s 0\) = true, 

2) Ij_i is a singleton and Sj_i(|[a R s /?]) = true, or 

3) Si-i(oblig) = true and Si_i(|[a|) = false. 

The transition constraints are satisfied: Let i G N. 

Constraints 16, 17 and 18 are trivially satisfied based on the 
rules for setting the value of oblig. Thus, it only remains 
to be shown that Constraint 19 is satisfied as well. We 
distinguish the following cases: 

• Case 1: Si(oblig) = false. In this case, Constraint 19 
is trivially satisfied. 

• Case 2: Si(oblig) = true and Rule 1 for setting 
the value of oblig applies. That is, Ii is open and 
s,([aR s fl) = true. As s l ( [a R s (3]\ ) = true, we 
know that er^) |= a R' s /?. On any open interval 
satisfying a R s j3 either a or f3 (or both) must hold, 
immediately implying that Constraint 19 is satisfied. 

• Case 3: Si(oblig) = true and Rule 1 does not apply 
but Rule 2 does apply. Then 7j_i is a singleton and 
Si_i([a R s /?]) = true, implying that o^" 1 '') |= a R s 
/3. If Ij itself is a singleton, then there is no time point 
in between the single time point in 7j_i and the single 
time point in Ii. Thus, cr*-* -1 '') |= a R s (3 implies that 
Sj(|[/3|) = true, in turn implying that Constraint 19 
is satisfied. If, in contrast, Ii is open, then o^ 1-1 ''-' |= 
a R s f3 implies that either Sj(|[a|) = true or Si(|[/?]|) = 
true (or both). Thus, also in this case Constraint 19 is 
satisfied. 

• Case 4: Si(oblig) = true and Rule 1 and Rule 2 do 
not apply. In this case, Rule 3 has to apply, as we 
would not have set Si(oblig) = true if no rule applied. 
Thus, Si-i(oblig) = true and Sj_i(|[a|) = false. 
We now choose j < i as large as possible such 
that (i) Sj(oblig) = true and (ii) either j = or 
Sj-i(oblig) = false. Now we know that Sj (oblig) = 
true based on Rule 1 or Rule 2. Let j = j iff 
Rule 1 applies to interval j and j = j — 1 otherwise. 



We now know that s^(|[a R s 



= true and, thus, 
o-(J') |= a R s (3. Furthermore, as oblig propagated up 
to interval % through Rule 3, we know that Sj(|[a]|) = 
. . . = Sj_i([a|) = false. Now take any t\ <G Ii and 
t<2. G Ij. We now perform another case distinction based 
on the type of Ii. 
- If Ii is a singleton, then for any (k, t) G T(<j) with 
CiM) ■< (k,i) ~< (i,h) it holds that j < k < i, 



implying that Sfc(|[aJ) = false. Thus, there is no 
time point in between (j,^) and (i,t\) at which 
a holds. As o~(i> t2 > \= a R s (3, this means that 
Sj([/3|) = true and Constraint 19 is satisfied. 
- If Ii is open, then for any (k, t) G T(a) with 
(j,h) -< (k,t) -< (i,h) it holds that j < k < i, 
meaning that Sj([a|) = true implies k = i. Thus, 
if there is a time point in between (j, tz) and (i, t\) 
at which a holds, that time point has to be part of 
interval i, meaning that Sj(|[a|) = true. If there 
is no such time point, then the fact that a^' t2 ^ \= 
a R s (3 implies that Si(|[/3]|) = true. Hence, we 
have Sj(|[a|) = true or Sj(|[/3|) = true (or both) 
and Constraint 19 is satisfied. 

Either way, we were able to demonstrate that Constraint 19 

is satisfied. ■ 

Proof: For Op = G< . Auxiliary variable rules: Let 

i G N. As always, we set s,(|[G< a]|) / Sj(|[a]|) to true 

iff (j(*'') |= G< a I o~( 1 ''' \= a, respectively. 

The transition constraints are satisfied: Let % G N. Now 

• If s,(|[G< a]|) = false or Ii is open or Ij + i is open, 
then Constraint 20 is trivially satisfied on interval i. 

• If, Sj(|[G< a]|) = true and Ii is a singleton and 
Ij + i is a singleton, then pick j > i + 1 as large 
as possible such that Ii,...,Ij are all singletons. 
s»(|[G< a]|) = true means that a^ 1 ^ |= G\ 



Thus, we know that Sj+i(|[a|) 
true. This implies that cr( 4 + 1 '') 



HI) 



[G' <0 a\\ as well 
and, thus, s»+i(|[G< ct]\) = true. Thus, Constraint 20 
is satisfied on interval i in this case as well. 

Hence, Constraint 20 is in each case satisfied on interval i. 

m 
Proof: For Op = G s <„. Auxiliary variable rules: Let 

i G N. As always, we set Sj(|[G s < n a|) / Sj(|[a]|) to true iff 
(j(v) 1= G s <„a / (j(*'') |= a, respectively. We set So(c) = 
n + 1 and s (righto) = true. For i > we set Si(c) and 
Si(righto) according to Constraints 22 and 23 and s,_i. 

The transition constraints are satisfied: Let ieN. 

It remains to show that Constraint 21 is satisfied on 
interval i. 

• Case 1: T c does not hold on interval i and 
Sj(|[G s <n a}) = false or Ii is a singleton. In this case 
Constraint 21 is trivially satisfied. 

• Case 2: Sj(|[G s <„ a}) = true an Ii is open. As a^ 1 ''' \= 
G' s <„ a and Ii is open, we now know that Sj(|[a|) = 
true. Thus, Constraint 21 is satisfied. 

• Case 3: T c holds on interval i. Then we note that there 
is a previous interval on which |[G S <„ a]\ holds. If no 
such previous interval would exist, then Si(c) would 
be at least the initial value of n + 1, contradicting the 
assumption that T c holds. We can, thus, pick j < i is 
as large as possible such that Sj(|[G s < n a|) = true, 
implying o-W-0 |= G s <„ a. 



As is easy to see, repeated application of Constraints 22 
and 23 leads to Si(c) being the difference between the 
left bound of Ii and the right bound of Ij . Furthermore, 
Si(righto) = true iff Ij is open. As T c holds at interval 
i we know that Si(c) < n. That is, the difference 
between left bound of Ii and the right bound of Ij is 
less than n time units. Indiscriminately of whether Ij 
and Ii are open or singletons, this implies that there 
are t\ <E Ii and £2 € Ij with t\ — £2 < H. This 
implies that Sj([a|) = true, as cr^''-' |= G s <„ a. Thus, 
Constraint 21 is satisfied in this case as well. 



Proof: For Op = G s <„. The proof for Op = G s <„ 
proceeds precisely as the proof for Op = G s <„ up to the 
point in Case 2 where we observe that Si(c) < n. For Op = 
G s <„, we observe instead that Si(c) < n or Si(c) < n and 
intervals Ii and Ij are both singletons. Thus, we can pick 
time points in Ii and Ij that are < n time units apart. Hence, 
the fact that a^''' |= G' s <„ a again implies Sj(fa]|) = true 
and Constraint 21 is satisfied. ■ 

Proof: For Op = R>„. Auxiliary variable rules: Let 



i G N. As always, we set Si(\[a R>„ f3]\) I Sj(|[a|) / s, 
to true iff cr( 4 ^ |= a R>„ /3 / cr^'') f= a / cr^') h= #> 
respectively. We set So(c) = and so(lefto) = false. For 
i > we set s,(c) and Si(lefto) according to Constraints 29, 
30 and 31 and Sj_i. For setting the value of 06%, we use 
the same rules used for the untimed release R s . That is, we 
set Si(oblig) = true iff at least one of the following holds: 



1) Ii is open and Si(\[a R> 



) = true, 
fa Rl 



= true, or 



2) ij_i is a singleton and Si_i(| L w ..» .., 

3) Si-i(oblig) = true and Sj_i(|[a|) = false. 

The initial constraint is satisfied: Initial Constraint 

1-aW is trivially satisfied as Sq(c) = and so(lefto) = 
false. 

The transition constraints are satisfied: Let i e N. 

We observe that Constraints 24, 25 and 26 correspond to 
Constraints 16, 17 and 18 in the encoding of the untimed 
release operator. Consequently, Constraints 24, 25 and 26 
are satisfied by the fact that we use the exact same rules for 
setting the value of Si(oblig). 

The left hand side of the implication in Constraint 28 is 
satisfied precisely if cr( l ''> |= a R> n (3 and Ii is an open 
interval whose bounds are more than n time units apart. 
Then, there are time points £ 1 , £ 2 € U such that £2 — £1 > n. 
By the semantics of R s , this implies that f3 holds at (i, £2) or 
that a holds somewhere in between (i, £1) and (i, £2). Thus, 
Sj(|[a|) = true or Si(|[/?]|) = true and the right hand side 
of the implication is satisfied as well. 

We now argue that Constraint 27 is satisfied on interval % 
using a case distinction: 

Case 1: Si(oblig) = false or T c is not satisfied at interval 
i or interval Ii is open and Sj(|[a]|) = true. In this case, 
Constraint 27 is trivially satisfied at interval i. 



Case 2: Si(oblig) = true, either Ii is a singleton or 
Sj(|[a]|) = false and T c is satisfied at interval i. Note that 
T c holding at interval % implies that Si(c) > 0. Now pick 
j < i as large as possible such that one of the following: (i) 
j < i and D c holds at interval j, (ii) R c holds at interval 
j — 1 or (iii) j = 0. By the choice of j we know that (a) 
R c does not hold at intervals j . . . i — 1 (b) D c does not 



hold at intervals j + 1, 



land(c) S ,(|[aR s >n /3|) 



true. If j was chosen based on (i) or (ii), this immediately 
follows from the definition of D c and R c . If, in contrast, j 
was chosen based on (iii) (implying j = 0) then assuming 
Sj(\[a R> n 0\\) = false leads to the observation that both 
fa R>„ 0j and oblig are false on a prefix of r. Thus R c 
holds on the first interval on whose successor fa R>„ 0]\ 



_ holds. As Sj(\\a Rt 



= true, this the case on is interval 



i— 1 at the latest, contradicting the assumption that we picked 
j based on (iii). Thus, Sj(\[a R>„ 0J) = true in each case. 

Based on the update rules for c and lefto, we know that 
Si(lefto) = true iff Ij is open. Furthermore, Si(c) is the 
difference between the left bound of Ii and the left bound of 
Ij , i.e. Si (c) + Si(S) is the difference of the right bound of Ii 
and the left bound of Ij . By our Case 2 assumption that T c is 
satisfied, this difference is greater than n. Therefore, we can 
indiscriminately of the type of Ii and Ij pick t\ € ij, £2 G Ij 
such that £1 — £2 > n. 

Let i :— i if /^ is open and i := i — 1 otherwise. 
Furthermore, let j := j if Ij is open and j := j+1 otherwise. 
Note that i > j. (As i > j, we know that % > j — 1. 
Additionally, i = j — 1 would require that i = j + 1 and that 
both Ij and 7j to be singletons which contradicts c + 5 > n 
at interval i) Furthermore, note that the time points lying in 
between (j, £1) and (i, £2) now all belong to Jj, . . . , ij. We 
now claim that both Sj (oblig) = . . . = Si(oblig) = true 
and Sj(fa]|) = ... — s^(\[a}\) = false. Note, that by 
our Case 2 assumptions we have Si(oblig) = true and 
Sj(|[a|) = false if Ii is open (meaning i — i). Thus, we only 
have to show that s-A oblig) = . . 



and Sj(\[a]\) = ... = s 4 __i 
by induction over k = j,. 
we established sj (oblig) •■ 



.. = Si-i(oblig) = true 

a|) = false, which will proven 

,i — l, for each k assuming that 

. . . = Sk-i(oblig) — true and 

Sfe_i(|[a]|) = false already. 

Base case: k — j. Sj(oblig) = true follows immediately 

from the fact that Sj(\[a R>„ 0\\) = true and Rules 1 and 2 

for setting the value of oblig. 

Now assume Sfc(|[a|) = true. Recall, that Si(oblig) = 
true. This allows us to pick a m as small as possible such 
that k < m < i and s m (oblig) = true. Then: 

• If m = k + 1, then based on the fact that Sfc(|[a]|) = 
true, we know that oblig was set to true on interval 
m not based on Rule 3 but based on Rule 1 or 2. 

• If m > k + 1, then by the choice of m we know 
that s m -i(oblig) = false. Thus, we deduct that, again, 
oblig was not set to true on interval m based on Rule 3 
but based on Rule 1 or 2. 



Now we split based on the rule by which oblig was set 
to true on interval m. 

• If oblig was set to true based on Rule 1 and Rule 2 
does not apply, then s m ([a R> n fij) = true and 
Sm-id® R>„ 0\) = false (as otherwise Rule 2 would 
apply). Furthermore, I m is open, implying that I m -\ 
is asingleton. 

- If m = k + 1, then as Sfc(|[a]|) = true, 
a k (\[a R s >„ I3}\) = false and s k+1 (\[a R s >n /?]) = 
true we conclude that R c holds at interval to— 1 = 
k > j, contradicting observation (a). 

- If to > k + 1, then s m -i(oblig) = 
false. As additionally s to (|[q R>„ /3]|) = true, 
Sfe(|[a R>„ f3]\) = false, we know that R c holds 
on interval to — 1 > k > j, again contradicting 
observation (a). 

• If oblig was set to true based on Rule 2, then I m -\ 
is a singleton and s m _i(|[a R>„ /3]|) = true. Now: 

- If to = k + 1, then /^ is a singleton, implying 
that fe > j (as fc > j it is not possible that 
k = j when I k is a singleton). Now Sfc(|[a|) = 
Sfe([aR>„ /?]) = s k (oblig) = true, 7 fe is a 
singletonand D c holds at interval k > j. This 
contradicts observation (b). 

- If to = k + 2, we further split cases based on the 
type of I k . 

* If I k is open, then s/c(|[a]|) = true and 
Sfe+i(|[a R>„ /?]) = true, meaning that R c is 
satisfied at interval fc, again contradicting (a). 

* If Ik is a singleton, then we again observe that 
k > j. Now one last split is necessary: 

• If Sk(\[a R>„ 0\) = true, then £> c holds at 
interval k > j, contradicting (b). 

• If Sfc(|[a R>„ j3]\) = false, then R c holds on 
interval k based on the fact that, additionally, 
Sfe(|[a]|) = true and Sfe+i(|[a R>„ 0\) = 
true, contradicting (a). 

- Assume m > k + 2. By the choice of to we know 
that s m -2{oblig) = false and s m -i(oblig) = 



false, implying that s 



ra-T 



a Ri 



false 



Now R c holds at interval to— 2 > k > j due to the 



a Rl 



= true, 



fact that additionally s^ 
again contradicting (a). 

As each case ended in a contradiction we conclude that 
s fe(IH) = false. 

Inductive step: j < k < i. Now Sk(oblig) = true fol- 
lows from the inductive hypothesis that Sk-i(oblig) — true 
and Sfc_i(|[a|) = false and Rule 3 for setting the value of 
oblig. Furthermore, we can derive that Sfe(|[a|) = false by 
the same arguments used in the base case. Thus, we have 
shown inductively that Sj (oblig) = ... = Si-i(oblig) — 



true and Sj( \\a\ \) — . . . = 



= false. 



Now as sj(|[a|) = . . . = S|(|[a|) = false we know that 
there is no time point in between (j, £2) and (i, t\) at which 
a holds. As a^' t2 ^ \= a R>„ f3 and ti — ti > n we can 
conclude that j3 holds at time point (i,t\), meaning that 
Sj(|[/3]|) = true and ultimately implying that Constraint 27 
is satisfied at interval i. ■ 

Proof: For Op = R>„. To adapt the proof for Op = 
R>„ to Op = R>„ we only need to argue that in Case 2, 
based on the fact that T c holds we can pick t\ € /;, ti € Ij 
with £1 — £2 > n. As T c holds, we know that the difference 
between the right bound of Ij and the left bound of Ij is > n 
or the difference is > n and both Ii and Ij are singletons. 
In both cases, we can pick t\, £2 with t\ — £2 > n. ■ 

G. Proof of Lemma 6 

Lemma 6: Assume two states, s and t, such that s w t. 
It holds that (i) s f= X iff t \= 1, and (ii) s \= 1NV iff 
t \= IMV. Furthermore, if there is a S s e M>o and a state 
s' such that s U {6 ^ 5 S } U {y' ^ s'(y) \ y e X U Z} \= 
T, then there is a 5 t E K> and a state t' such that 
t U {S M- d t } U {y 1 ^ t'(y) I ye X U Z} \= T and s' w £'. 
Proof: Asssii and the only atoms involving clock 
variables in Z and ZA/V are of form x cxi n, the definitions 
of rria; and w directly imply that (i) s |= T iff £ |= Z, and 
(ii) s |= IA^V iff £ h ZA^V. 

To prove the remaining claim, consider the state s" 
such that (i) s"(x) = s(x) + <5 S for each clock x E X, 
and (ii) s"(z) — s'(z) for each non-clock z E Z. As 
sU{(5^ (5 s } U {y 1 h^ s'(y) | j/ e X U Z} |= T, we have 
(5 S > and for each x E X either s'(x) = or 
s'(x) = s(x) + 5 s = s"(x). That is, intuitively a" is obtained 
from a' by "unresetting" the reset clocks. 

Next, take any iS t €l and state t" such that (i) S t > 0, 
(ii) S t = ^ S s = 0, (iii) t"(x) = £(x) + 5 t for each clock 
x E X, (iv) t"(z) = s'(z) for each non-clock z E Z, and (v) 
s" w £". Such <5 t and t" exists because s ss £ and of the fact 
that clock valuations in the same region have time successors 
in same regions [1]. Let £' be the state such that (i) for each 
xE X,t'(x) =0if a'(x) =0and£'(a;) =t"(x) =t(x)+8 t 
otherwise, and (ii) t'(z) = t"(z) = a'(z) for each non-clock 
z E Z. Now s' m £'. As a summary, intuitively £' is a state in 
the region that is obtained by letting time pass in the similar 
manner as when moving from a to a' and then resetting the 
same clocks. 

Now we only have to show that 
£ U {S ^ S t } U {y 1 H- t'(y) | y G X U Z} |= T. We do this 
by showing that the atoms in T evaluate to the same boolean 
value under both s U {5 ^ S s } U {y' ^ a'(y) \ y E X U Z} 
and tU{S^S t }U {y 1 ^ t'(y) \ y E X U Z}. 

• Case: the atom does not involve variables in X U X' U 

{6}- 

In this case the atom evaluates to true under s U 

{y' i—)- a'(y) \ y € X U Z} if and only if it does under 

t\j{y' ^ t'(y) I y E X U Z} because s w £ and s' w £'. 



Case: the atom is of form x' = 0. 

Because s' s=s t', the atom evaluates to true under 

{y' >-*• s'{y) I y € X U Z} if and only if it does under 

W -> *'(y) h/exuz}. 

Case: the atom is of form a;' = a; + <5. 

We have to consider the following: 
1) Sub-case s'(x) = 0. 

Thus t'(x) — as well because s' ss t'. Now 
x' = x + 8 evaluates to true under sU{(5 t-j- 5 S }U 
{?/ h^ s'(y) I y e X U Z} if and only if s(x) = 
and 6 S — (as x and <5 always have non-negative 
values). 

a) If s(x) = and <5 S = 0, then t(x) — and 
S t = as well because s»it and s" s=s i" 
(forcing that s(.t)+<5 s = if and only if t(x) + 
St = 0). 

b) If s(x) > 0, then t(x) > as s ss t, and thus 
s'(x) 7^ s(x) + S s and £'(x) ^ t(x) + S t . 

c) If s(x) = and 5 S > 0, then i(x) = as 



s w i and £ t > as s" w £" and s"(x) = 
s(x)+(5 s > 0, implying that s'(x) ^ s(x) + S s 
and t'(x) ^ t(x) + S t . 
2) Sub-case s'(x) > 0. 

Now also t'(x) > as s' « £'. As s'(a;) > 0, it 
must be that s'(x) = s(x) + <5 S of the restriction 
imposed on T. By the construction of t" and £', 
i'(x) =t"(x) =t(x)+S t . 

• Case: the atom is of form x\x\n. 

Because s s=s t, the atom evaluates to true under s if 
and only if it does under t. 

• Case: the atom is of form x + S ex n. 

By the construction of s" and t", and the fact that s" ~ 
t", we have that s"(x) = s(x) + 6 S tx n if and only if 
t"(x) = t(x) + S t x\n. 

• Case: the atom is of form <5 cxi 0. 

Because S s > 0, 5 t > 0, and S s = 4^ 5 t = 0, the 
atom evaluates to true under {5 i-»- S s } if and only if it 
does under {i^ <5 4 }. 



